incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Mclean <jus...@classsoftware.com>
Subject Re: [VOTE] Apache MXNet (incubating) 1.2.0 release RC3
Date Sat, 19 May 2018 07:56:18 GMT
Hi,

> I had a look at the files and found that the key required to verify the signature is
not contained in the KEYS file in the tar ball. 

AFAIK having the KEY file in the tar ball is not really helpful at all as it could be modified
and republished. The KEY file needs to be stored alongside the release [1], hashes and KEYS
are hashes not propagated on the mirror system. [2]

Thanks,
Justin

1. https://www.apache.org/dev/release-signing.html#keys-policy
2. http://www.apache.org/dev/release-publishing.html#distribution_dist
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message