Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0B6F24EA4 for ; Mon, 27 Jun 2011 20:46:22 +0000 (UTC) Received: (qmail 42602 invoked by uid 500); 27 Jun 2011 20:46:21 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 42410 invoked by uid 500); 27 Jun 2011 20:46:21 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 42402 invoked by uid 99); 27 Jun 2011 20:46:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Jun 2011 20:46:20 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [128.149.139.109] (HELO mail.jpl.nasa.gov) (128.149.139.109) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Jun 2011 20:46:15 +0000 Received: from mail.jpl.nasa.gov (altvirehtstap02.jpl.nasa.gov [128.149.137.73]) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id p5RKjrne029328 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO) for ; Mon, 27 Jun 2011 13:45:53 -0700 Received: from ALTPHYEMBEVSP20.RES.AD.JPL ([128.149.137.82]) by ALTVIREHTSTAP02.RES.AD.JPL ([128.149.137.73]) with mapi; Mon, 27 Jun 2011 13:45:54 -0700 From: "Mattmann, Chris A (388J)" To: "general@incubator.apache.org" Date: Mon, 27 Jun 2011 13:48:09 -0700 Subject: Re: KEYS and releases Thread-Topic: KEYS and releases Thread-Index: Acw1CzTNikWAkUQ5SOygTjs/O8Rbgg== Message-ID: <5BB598E0-4CB3-4DD7-9521-F1D13258F48C@jpl.nasa.gov> References: <68EAAEF4-FFAB-4822-84BC-5A3D5BCB02D9@jpl.nasa.gov> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Source-IP: altvirehtstap02.jpl.nasa.gov [128.149.137.73] X-Source-Sender: chris.a.mattmann@jpl.nasa.gov X-AUTH: Authorized Hi Benson, On Jun 27, 2011, at 1:37 PM, Benson Margulies wrote: > Chris, >=20 > If my goal was to hoodwink you, I'd create a bogus key that claimed to > be owned by an Apache person, put it in a KEYS file, and include in > the release, and sign the release with it. If I was lucky, you'd just > verify the release with the embedded key, and I'd have succeeded. We > want people to use keys from some source OTHER than the mirrors to > verify. There is a non-zero risk of compromise of the many mirrors. Sorry, missing the point here. How would you hoodwink me by including a bog= us key in a KEYS file included in a distro that only Apache people have the= right to seed any easier than hoodwinking me by placing that same bogus ke= y in a place that only Apache people have the right to see (the /dist direc= tory on minotaur)? Cheers, Chris ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Chris Mattmann, Ph.D. Senior Computer Scientist NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA Office: 171-266B, Mailstop: 171-246 Email: chris.a.mattmann@nasa.gov WWW: http://sunset.usc.edu/~mattmann/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Adjunct Assistant Professor, Computer Science Department University of Southern California, Los Angeles, CA 90089 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org