incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jukka Zitting <jukka.zitt...@gmail.com>
Subject Re: KEYS and releases
Date Tue, 28 Jun 2011 08:53:56 GMT
Hi,

On Tue, Jun 28, 2011 at 10:29 AM, Bertrand Delacretaz
<bdelacretaz@apache.org> wrote:
> Hence the need for people to download KEYS files from an *.apache.org
> domain that we do control. Putting KEYS in a distribution might cause
> people to use them instead of getting them from a trusted source, and
> that's bad.

The keys should be included in the web of trust, so it shouldn't
matter from where a user gets the keys.

Without the web of trust, the PGP signatures are just a rather
elaborate version of the MD5 and SHA1 checksums we also provide.

Of course, without being included in the web of trust, the best a user
can do is to get at least one of the keys from a trusted source.

BR,

Jukka Zitting

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message