On 11 Jul 2016, at 04:48, Shuai Lin <linshuai2...@gmail.com<mailto:linshuai2...@gmail.com>> wrote:
at least links to the keys used to sign releases on the download page +1 for that. really all release keys for ASF projects should be signed by others in the project and the broader ASF community; its really time for the next apachecons & similar to do key auth sessions. Oh, and you should be verifying full signatures; generating collisions in short signatures is now computationally feasible. I've authenticated patrick's key EEDA BD1C 71C5 48D6 F006 61D3 7C6C 105F FC8E D089 and pushed that fact up to the MIT keyservers; I'm willing to do the same for others over skype/F2F. And at some point someone needs to enhance ivy/maven to check GPG signatures of artifacts on the public repos. Checksum validation is meaningless unless you are getting the checksums from a trusted HTTPS server *and* the versions of the HTTP client you have gets its HTTPS signature logic right (something the asf commons http libs haven't always done).
