hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Koch <tho...@koch.ro>
Subject Please get your gpg keys signed!
Date Fri, 25 Jun 2010 09:29:55 GMT
Hi,

I just wanted to package the new HBase version and since I've just recently 
read about a malicious software tarball for some Linux IRC server[1], I got 
back to the habbit of checking signatures. (Yes, I was lazy recently. I'm 
ashamed.)

But checking the signatures of apache software obviously is meaningless, since 
apache developers appears to not have their keys in the web-of-trust. From 
three signature files I had laying around on my hard disc, all three keys had 
zero signatures on the MIT keyserver:

30CD0996 2010-05-03 Michael Stack <stack@duboce.net>
68E327C1 2008-10-22 Patrick Hunt <phunt@apache.org>
FE045966 2009-10-13 Grant Ingersoll <gsingers@apache.org>

So please, when you've your next Hadoop / HBase / Lucene / Apache meetings, 
take your time for a keysigning party[2]. Or just have some snippet with your 
keys fingerprint in your wallet and hand it to every other geek you meet. (And 
make sure he asks you for your ID card to check your identity!) It's also nice 
to have your gpg fingerprint on your business cards!

[1] http://www.sophos.com/blogs/chetw/g/2010/06/12/linux-malware-rears-ugly-
head/
[2] http://en.wikipedia.org/wiki/Key_signing_party

Thank you!

Thomas Koch, http://www.koch.ro

Mime
View raw message