>> Hence the need for people to download KEYS files from an *.apache.org >> domain that we do control. Putting KEYS in a distribution might cause >> people to use them instead of getting them from a trusted source, and >> that's bad. > > The keys should be included in the web of trust, so it shouldn't > matter from where a user gets the keys. > > Without the web of trust, the PGP signatures are just a rather > elaborate version of the MD5 and SHA1 checksums we also provide. > > Of course, without being included in the web of trust, the best a user > can do is to get at least one of the keys from a trusted source.
It should, but I don't know a single project (I don't know all of course) were it has been asked on a dev list: "I have no trusted key. Is a trusted user out there who could please sign my release artifacts?" I would like to know how many signing keys are actually trusted which have been used for our releases. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
