ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43162] - Verification for Microsoft Windows incompletely described
Date Sun, 19 Aug 2007 15:03:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43162>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43162


conor@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From conor@apache.org  2007-08-19 08:03 -------
It's true that to verify the signatures on the Ant releases you need to have
installed some software on Windows. You can choose to install PGP or you can
choose to install gnupg as part of cygwin or gpg4win. I'd go for the cygwin route.

The fact that Antoine's key is not registered with PGP corp does not make it
invalid. It is registered with the public key server at http://pgp.mit.edu/ 
It is also listed in the KEYS file in the Ant repository and on the Ant website.
You need to decide what level of trust *you* give these key sources.

The Ant project is not hostile to Microsoft. I'm not sure why you would
understand that, even if it were true. Many Ant developers, including myself,
use Windows. 

I'm doubtful we will make available cabinet files. In fact I looked up signed
cabinet file on Wikipedia and there is a lot less information than there is
about gpg.

I'm not 100% sure what you are referring to about the mirrors archive having a
different name. The download pages all point to the master key file and not the
mirrored copy because Apache only controls the masters. If a mirror is
compromised, it would be possible that the mirrored KEYS file and signatures are
also compromised. Verifying a mirrored archive against the mirrored KEYS and
signatures is of no value whatsoever.

I agree that we could improve the doco for windows users and we do happily
accept patches to improve documentation. On your other points, however, I'm
afraid we probably won't meet your expectations.

I'm sorry you wasted a workday on this.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message