incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: status of PGP support in Maven
Date Sat, 20 Sep 2008 09:08:46 GMT
On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz
<justin@erenkrantz.com> wrote:
> On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <hiram@hiramchirino.com> wrote:
>> How about we include the signatures in the source distros?  That way
>> if you trust your source, then you can trust the dependencies it
>> downloads.
>
> Eww.  That'd be a giant gaping security hole.

not necessarily, depends how it's done

signing works through trusting the people who own the keys. given
sufficient signaturees (to prevent small conspiracies), where the
signatures are downloaded from shouldn't matter.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message