incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mattmann, Chris A (388J)" <>
Subject Re: KEYS and releases
Date Mon, 27 Jun 2011 20:48:09 GMT
Hi Benson,

On Jun 27, 2011, at 1:37 PM, Benson Margulies wrote:

> Chris,
> If my goal was to hoodwink you, I'd create a bogus key that claimed to
> be owned by an Apache person, put it in a KEYS file, and include in
> the release, and sign the release with it. If I was lucky, you'd just
> verify the release with the embedded key, and I'd have succeeded. We
> want people to use keys from some source OTHER than the mirrors to
> verify. There is a non-zero risk of compromise of the many mirrors.

Sorry, missing the point here. How would you hoodwink me by including a bogus key in a KEYS
file included in a distro that only Apache people have the right to seed any easier than hoodwinking
me by placing that same bogus key in a place that only Apache people have the right to see
(the /dist directory on minotaur)?


Chris Mattmann, Ph.D.
Senior Computer Scientist
NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
Office: 171-266B, Mailstop: 171-246
Adjunct Assistant Professor, Computer Science Department
University of Southern California, Los Angeles, CA 90089 USA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message