incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 15:50:39 GMT
On 29/10/2007, Gilles Scokart <gscokart@gmail.com> wrote:
>
>
> > -----Original Message-----
> > From: sebb [mailto:sebbaz@gmail.com]
> >
> > Even if you can't establish a trust path, the PGP signature gives a
> > bit more assurance than a hash. The KEY file should be in SVN, so you
> > can ensure that the person that added the key to the KEY file was at
> > least a committer to SVN.
>
> That's only for the users who have https access to SVN (and who can reliably verify the
SSH key of the server).  The
> others have to assume that server from which they are reading the KEY file is the real
one.
>

Strictly speaking, yes.

The KEY file can be downloaded without needing https access, but as
you point out, this is not necessarily a guarantee of authenticity.

However, it is one more obstacle that a hacker would have to surmount
- they would have to subvert the SVN host as well as the main apache
host holding the KEY file.

> Gilles
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message