tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane_Curc...@lotus.com
Subject Re: Signing releases [was Re: question]
Date Thu, 24 May 2001 18:08:15 GMT
I'm not a security expert, but I *think* xml-xalan does it correctly.

- Several Xalan committers have PGP keys (including a joint one called
'Lotusxsl team').  You can use a freeware PGP version
(http://www.pgp.com/products/freeware/default.asp), buy a license, or
probably use a GPG version instead (http://www.gnupg.org/).

- We published the public halves of our keys to a well-known public
keyserver, so other people have an independent way to get our keys.

- We exported our public keys into an ascii file called KEYS in our CVS
repository  xml-xalan/java/KEYS

- Our Ant build script copies this KEYS file into the root of our
distribution, which then gets .zip'd and .tar.gz'd.  This is important!

- When shipping a release, we sign the actual .tar.gz/.zip files before
posting to xml.apache.org - we also post the .sig files for each distro as
well

- When a user downloads a release, they should download the .sig file too.
Then can then use PGP/GPG to verify the signature on the distro is still
valid.  Then can also check that the signature matches one of the keys that
was shipped inside the distro in the KEYS file.  They could also go to
well-known public keyservers and check for keys there.  The truly paranoid
could ask on xalan-dev for the actual signer to confirm their key's
fingerprint, etc. but I haven't met many people that paranoid yet.

Comments on better ways to do this appreciated.  Release security and
authenticity should definitely be an issue for each PMC to decide and then
report on to the ASF, since our released code is a lot of our reputation.
Sounds like PGP/GPG is already used in a number of projects, and is a very
widely used product, so perhaps that can just be the apache standard.

- Shane
---- you "Marc Saegesser" <marc.saegesser@apropos.com> wrote ----

Subject:  Signing releases [was Re: question]

I've checked the Tomcat 3.2.2b5 distribution and it looks OK.

Regarding signing the releases.  Could someone describe the procedures use
by other Apache projects for signing their releases?  Tomcat 3.2.2 will
going out in the near future and I would like to have a signing mechanism
in
place prior to that.



Mime
View raw message