Nick Kew wrote on Tue, Jun 28, 2011 at 14:13:51 +0100:
> As of now, how would you know if I were to smuggle in a key
> pretending to be yours and start signing things?
Don't stop here. If you can smuggle a signature into dist/ then
you can smuggle an artefact too.
-
On 28 Jun 2011, at 13:22, Benson Margulies wrote:
> There's another possible dimension to this, which is related to the
> 'Apache Key' suggestion.
>
> The current mechanism gives a\ sophisticated/ consumer tools to get
> some confidence that what they downloaded was, in fact, created by
> someon
There's another possible dimension to this, which is related to the
'Apache Key' suggestion.
The current mechanism gives a\ sophisticated/ consumer tools to get
some confidence that what they downloaded was, in fact, created by
someone in the Apache infrastructure.
If a dozen black hats create PG
I'm not sure what I think of your suggestion of having an "ASF PGP key".
How about requiring committers to specify on id.a.o not just the last
few bytes of their key's fingerprints, but the whole fingerprint?
Nick Kew wrote on Tue, Jun 28, 2011 at 11:43:24 +0100:
>
> On 28 Jun 2011, at 09:53, J
On 28 Jun 2011, at 09:53, Jukka Zitting wrote:
> Hi,
>
> On Tue, Jun 28, 2011 at 10:29 AM, Bertrand Delacretaz
> wrote:
>> Hence the need for people to download KEYS files from an *.apache.org
>> domain that we do control. Putting KEYS in a distribution might cause
>> people to use them instead
