beam-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Halperin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (BEAM-488) Remove KEYS file
Date Tue, 26 Jul 2016 06:23:20 GMT
Daniel Halperin created BEAM-488:
------------------------------------

             Summary: Remove KEYS file
                 Key: BEAM-488
                 URL: https://issues.apache.org/jira/browse/BEAM-488
             Project: Beam
          Issue Type: Task
          Components: project-management
    Affects Versions: Not applicable
            Reporter: Daniel Halperin
            Assignee: Daniel Halperin


http://mail-archives.apache.org/mod_mbox/incubator-general/201606.mbox/%3CCAAS6=7hVLcw6060Un7sXxk+WLLh08DFOSWktC0Aam4F=DyE0xA@mail.gmail.com%3E

> Bundling PGP keys inside a package is worse than worthless -- an attacker can
just bundle spoofed keys with a bogus distro!  Keys need to be made available
from a highly reliable, separate server: Download the main package from a
mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.
> 
> The KEYS file within the Beam source tree should be deleted.
 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message