httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From marc.mil...@caexmta3.amd.com
Subject RE: Tagging 2.0.17 in a few...
Date Tue, 17 Apr 2001 20:46:44 GMT
Well, it probably should be signed.  The public key can then be grabbed from
the issuer to verify authenticity.  I don't think that (I assume they're
public) keys should present any security problem as long as the key matches
the official public key.

Marc J. Miller
Open Source Relations Engineer
marc.miller@amd.com
1-800-538-8450 x43325

 -----Original Message-----
From: 	Greg Marr [mailto:gregm@alum.wpi.edu] 
Sent:	Tuesday, April 17, 2001 8:18 AM
To:	new-httpd@apache.org
Subject:	Re: Tagging 2.0.17 in a few...

At 10:26 AM 04/17/2001, rbb@covalent.net wrote:
Someone who wasn't attributed wrote:
> > The KEYS file does not need to go into the distribution. Heck, 
> I'd suggest
> > that it specifically *NOT* go into the distro.

Absolutely.  If the keys file is in the tarball, then there's really 
no point in having it signed, since someone else could generate 
another keys file to go into their tarball.  The keys file needs to 
come from somewhere trustworthy, or it's useless.

> >
> > Assuming no KEYS file in the distro, then step (2) can be ignored.
> >
> > A KEYS file on the public site (whichever of the bazillion 
> redundant copies)
> > needs a key, tho.
>
>I seriously disagree.  I thought a lot about this before I posted, 
>because I was trying to figure out why the site said you needed the 
>KEYS file to be up-to-date before the tag.  The reason is 
>simple.  If I just downloaded the 2.0.17 tarball, and I want to get 
>the KEYS file, I am going to go to CVS, and grab the one with the 
>2.0.17 tag.

That assumes the user knows something about CVS, and where to find 
the keys file.  It also requires a separate keys file for every 
project.  If there is a central keys file on the web, or at least one 
per project, then the user can just go to that page (probably the 
download page) and get the current keys file.

-- 
Greg Marr
gregm@alum.wpi.edu
"We thought you were dead."
"I was, but I'm better now." - Sheridan, "The Summoning"



Mime
View raw message