struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeromy Evans <>
Subject Re: 2.1 build
Date Wed, 09 Apr 2008 03:15:44 GMT
Martin Cooper wrote:
> On Tue, Apr 8, 2008 at 6:57 PM, Jeromy Evans <
>> wrote:
>> Understood.  Can I sign and distribute Don's binaries[1] or *must* they be
>> signed by the person that built them?
> I've lost track of why Don can't sign them himself, but I would consider it
> OK for you to do that if you use the following process:
> 1) Have Don e-mail you the binaries or otherwise get them to you in a way
> that they could not be intercepted. (I don't consider you picking them up
> from the URL below to be acceptable because there is a chance, however slim,
> that those binaries could have been compromised. And yes, I realise that
> e-mail can in fact be intercepted as well, but if you guys coordinate
> time-wise, I think that is an acceptable risk.)
> 2) You sign them, and mail the .asc files back to Don.
> 3) Don verifies that the .asc files you sent him validate successfully
> against the binaries that he has.
> At this point, you (Jeromy) have the appropriate signatures for what Don
> originally built, as well as the binaries, and can take it from there.

Thanks Martin,  That doesn't take Don out of the loop so it won't 
alleviate the issue that he's been too busy to sign and distribute the 
If he's able to validate the .asc against the original binaries he's 
able to generate them.  It's less effort and risk to wait until Don has 
time to complete the task.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message