Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0097DD459 for ; Thu, 11 Oct 2012 01:06:48 +0000 (UTC) Received: (qmail 45334 invoked by uid 500); 11 Oct 2012 01:06:47 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 45088 invoked by uid 500); 11 Oct 2012 01:06:47 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 45080 invoked by uid 99); 11 Oct 2012 01:06:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2012 01:06:47 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [66.111.4.25] (HELO out1-smtp.messagingengine.com) (66.111.4.25) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2012 01:06:39 +0000 Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 1757020D33; Wed, 10 Oct 2012 21:06:19 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute2.internal (MEProxy); Wed, 10 Oct 2012 21:06:19 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=date:from:to:cc:subject:message-id :references:mime-version:content-type:in-reply-to; s=mesmtp; bh= eXxAfsdkiDEUcf92aRrFSguwpUQ=; b=R1mF8YzNURjnNQtpDBGcDmBAceJ2F9Q3 UJHajPtiNzj52oOyeY/suoRD48rkiL/V8fDozZbVCR3ctBp7tL15Tg8AzVdaIII1 dujN8+HiXDElv4M/NBOomVY+KgnKz60TRVQ36lP2S5EWW6/2PD3/B+x6Eu5kFryu EpgrnQG4qHc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:from:to:cc:subject:message-id :references:mime-version:content-type:in-reply-to; s=smtpout; bh=eXxAfsdkiDEUcf92aRrFSguwpUQ=; b=rPc6xF3hx2+qAvOheWDWbs8ZMMnl pJQZ+HKhllb9WsjKvLmYHAO1M6AR9M0DlKXjXnHpJ/e3bymZyXnZuTWXkrWKMjjl 9/1oaCfZDay4pBIG9uJjzUNLnFbA1HZ/bj/1yTj/vb1gf7BwgdWsd8OHaO7xf7VT v+04xBUz5Ip/VXU= X-Sasl-enc: 7Lkq/tP3h5t0OmAHkh3apTmcjQOIEJChFylnqMV0O+4l 1349917578 Received: from lp-shahaf.local (unknown [79.179.216.75]) by mail.messagingengine.com (Postfix) with ESMTPA id 4CDC7482701; Wed, 10 Oct 2012 21:06:18 -0400 (EDT) Date: Thu, 11 Oct 2012 03:06:15 +0200 From: Daniel Shahaf To: Ian Holsman Cc: general@incubator.apache.org Subject: Re: key signing Message-ID: <20121011010612.GB3349@lp-shahaf.local> References:

<36BCBFFD-51AC-41C1-B56C-C60BA7EC895A@Holsman.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <36BCBFFD-51AC-41C1-B56C-C60BA7EC895A@Holsman.com.au> User-Agent: Mutt/1.5.18 (2008-05-17) Ian Holsman wrote on Thu, Oct 11, 2012 at 10:53:11 +1100: > > On Oct 11, 2012, at 10:44 AM, Greg Stein wrote: > > > > > (assume secure Infrastructure) > > That's a pretty big assumption isn't it? > There have been public instances where open source infrastructures have been hacked, and releases have been messed with. > > I think keys removes the need for the assumption. Signatures also allow verifying "whoever signed tarball is the same person who signed the previous tarball". Hash functions don't do that. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org