httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: please sign new apache releases only with strong keys -- trimming the KEYS file
Date Tue, 31 Dec 2013 19:02:09 GMT
On Tue, 31 Dec 2013 13:27:30 -0500
Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> On 12/31/2013 01:19 PM, Graham Leggett wrote:
> > It is also a statement of what keys have historically been used to
> > sign past artifacts, and that is just as important.
> 
> These are distinct things, though.  It would be great if the apache
> project could separately identify which keys are going to be used
> going forward and which ones are there for historical purposes.

Good observation, but we don't have such a concept (yet) (AFAIK), all
the foundation docs refer users to the KEYS file.

Agreed that it would be useful, moving forwards, to keep the abridged
list of KEYS.current in addition to KEYS (historical), for some
definition of 'current' being over the past 12 mos or expected to be
used in the near future.

But I don't think we can or should change the defined use of KEYS.


Mime
View raw message