sebb wrote on Thu, Oct 11, 2012 at 09:48:25 +0100: > On 11 October 2012 02:39, Daniel Shahaf <[email protected]> wrote: > > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: > >> Not too much. We still instruct users "take the signatures and verify > >> them against blah.apache.org/KEYS". John Blackhat could replace the > >> signatures and install his entry into KEYS. > > > > If you use https://people.apache.org/keys/ instead of KEYS files in the > > dist/ tree, John would have to crack two machines rather than one. > > Last time I looked, the process downloads the key from a PGP server > (which does not provide any auth at all) using the key id(s) in LDAP. > > I assume you mean John would have to obtain credentials to be able to > alter the key id in the signer's LDAP record? > > AFAIK, this is the same LDAP that is used to authenticate SVN access > (which is all that is needed to upload new archives and KEYS). > > Seems like a single point of failure to me - or maybe I am missing > something here?
LDAP is a single point of failure, but with that you can't forge anything without causing a post-commit email. > > > </plug> :-P > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
