community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jan i <j...@apache.org>
Subject Re: Source signed by someone not on your list
Date Wed, 03 Jun 2015 19:49:57 GMT
Hi

Juergen Schmidt was the release manager for the latest AOO releases so the
key is valid.

If you use our official mirror through www.openoffice.org you should see
that the
key is legal.

but thanks for being observant and reporting your findings.

rgds
jan i
v.p. apache openoffice


On Wednesday, June 3, 2015, tensizes <tensizes@gmail.com> wrote:

> Hi,
>
> This is a security heads-up.  After downloading the latest release of
> Apache Open Office and checking the key, I found it was signed by someone
> not on your published KEYS file list of contributors, someone named Jeurgen
> Schmidt
>
> His/her pgp key id is 51B5FDE8
>
> The release file is from mirror http://mirrors.gigenet.com
> Filename: apache-openoffice-4.1.1-r1617669-src.tar.bz2
>
> Either Jeurgen Schmidt has been left off of your list, or they have been
> signing sources without permission.
>
> Thanks for your development efforts,
> tensizes
>


-- 
Sent from My iPad, sorry for any misspellings.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message