incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 05:36:44 GMT
Henning Schmiedehausen wrote:
> 
> How do you validate that the pub key presented to you is genuine? 

Every project worth it's salt has a www.apache.org/dist/{tlp}/KEYS
file which contain that project's contributors signatures, countersigned
or not.  Ideally, they are extensively countersigned.  But in some cases
they are not.

The delta is; are you trusting www.apache.org/dist/{tlp}/KEYS?  Or are
you trusting www.friendlyname.zz/mirrors/apache/dist/{tlp}/KEYS?  There's
a pretty major difference :)




---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message