On Sep 24, 2008, at 3:44 PM, Hiram Chirino wrote: > On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen > wrote: >> On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote: >>> On Mon, Sep 22, 2008 at 10:12 AM, sebb wrote: >>>> On 22/09/2008, Hiram Chirino wrote: >>>>> The only reason I suggested including the sigs in the source >>>>> distro is >>>>> because a source build like Apache ServiceMix depends on >>>>> hundreds of >>>>> third party dependencies.. so an end user would need to end up >>>>> trusting LOTs different signatures to get ServiceMix to build. >>>>> >>>>> It would be easier if the end user could just trust the Apache >>>>> source >>>>> distro and also transitively trust the signatures that we trust >>>>> for >>>>> our dependencies. >>>>> >>>> >>> >>> I actually meant to say include the pub key for the dependency in >>> the >>> source distro. >> >> How do you validate that the pub key presented to you is genuine? >> What >> you currently proposing is >> >> src-artifact <- signed with A's privkey, validated with A's pubkey >> >> A's pubkey is inside src-artifact. > > NO I'm not. I'm saying that A artifact has 100 dependencies by say 30 > different signers.. we include > those 30 pub keys in the src-artifact. NOT the A key! > > You have to validate the A source distro the same way you would > validate an ANT based build source distro today. Ok we can do something where the X +1's issued are sent to a keyserver along with the OK of a PMC member or human gate (as one does not want to also automate veto counting) or similar - together with the md5/ sha1. And returned is the later hash signed by some rolling apache key or x509. Thanks, Dw --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org