harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: [release] Do we need to be signing our releases; even the milestones?
Date Sat, 17 Nov 2007 07:37:14 GMT
On Nov 17, 2007 12:47 AM, Nathan Beyer <ndbeyer@apache.org> wrote:
> http://people.apache.org/~henkp/checker/sig.html
> I noticed that we're showing up as offenders on the signature
> checklist. I realize these are just milestones, but we probably need
> to get in the habit. How is everyone's web of trust? I've finally been
> able to get a few signatures on my key, so mine should be good enough
> to sign the releases.
> I've also noticed that our KEYS file isn't very large, so we probably
> need to get all of the committers on the ring.


it's important to sign all releases. sums are relatively easy to
subvert. if an attacker subverts part of the release infrastructure
then all sums must be suspect.

signatures are a much stronger guarantee. they should be stored secure
by the signer and protected by a good passphrase. an attacker is then
faced with subverting not only the release infrastructure but also the
machines storing the private keys and then cracking the passphrases
protecting them. apache insists on only one signature but this is the
minimum: high profile projects should try to sign with as many
developer keys as possible.

even signatures from keys not strongly connected to the apache
web-of-trust are worthwhile. in the event of a compromise, each
signature allows an additional independent check on the release
whether it's connected to the web-of-trust or not. subverting a
release signed by a dozen developers (say) would require considerable

having at least one signature strongly connected to the apache
web-of-trust allows independent verification which is important but
signing releases is crucial for security. please follow policy and
sign all releases.

- robert

View raw message