incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <nsla...@tumbolia.org>
Subject Re: key signing
Date Thu, 11 Oct 2012 09:06:47 GMT
On Thu, Oct 11, 2012 at 9:48 AM, sebb <sebbaz@gmail.com> wrote:

> On 11 October 2012 02:39, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
> >> Not too much. We still instruct users "take the signatures and verify
> >> them against blah.apache.org/KEYS". John Blackhat could replace the
> >> signatures and install his entry into KEYS.
> >
> > If you use https://people.apache.org/keys/ instead of KEYS files in the
> > dist/ tree, John would have to crack two machines rather than one.
>
> Last time I looked, the process downloads the key from a PGP server
> (which does not provide any auth at all) using the key id(s) in LDAP.
>

The recommended procedure is to ask the users to download the KEYS file
directly from the root of the dist dir, and import all the keys directly
from that. As far as I know. That's how we do it on CouchDB. I think httpd
does that too.


-- 
NS

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message