incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <henn...@apache.org>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 05:54:16 GMT
So you assume that that www.apache.org can not be hacked? What if a
signing key *IS* in KEYS but not signed by anyone (because the developer
has never attended an Apache key signing event)?

	Ciao
		Henning

On Wed, 2008-09-24 at 00:36 -0500, William A. Rowe, Jr. wrote:
> Henning Schmiedehausen wrote:
> > 
> > How do you validate that the pub key presented to you is genuine? 
> 
> Every project worth it's salt has a www.apache.org/dist/{tlp}/KEYS
> file which contain that project's contributors signatures, countersigned
> or not.  Ideally, they are extensively countersigned.  But in some cases
> they are not.
> 
> The delta is; are you trusting www.apache.org/dist/{tlp}/KEYS?  Or are
> you trusting www.friendlyname.zz/mirrors/apache/dist/{tlp}/KEYS?  There's
> a pretty major difference :)
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message