On Thu, Oct 11, 2012 at 9:48 AM, sebb <[email protected]> wrote: > On 11 October 2012 02:39, Daniel Shahaf <[email protected]> wrote: > > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: > >> Not too much. We still instruct users "take the signatures and verify > >> them against blah.apache.org/KEYS". John Blackhat could replace the > >> signatures and install his entry into KEYS. > > > > If you use https://people.apache.org/keys/ instead of KEYS files in the > > dist/ tree, John would have to crack two machines rather than one. > > Last time I looked, the process downloads the key from a PGP server > (which does not provide any auth at all) using the key id(s) in LDAP. >
The recommended procedure is to ask the users to download the KEYS file directly from the root of the dist dir, and import all the keys directly from that. As far as I know. That's how we do it on CouchDB. I think httpd does that too. -- NS
