www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (INFRA-1189) RSYNC: Change rsync configuration to exclude KEYS files
Date Thu, 14 Jun 2007 17:19:26 GMT

     [ https://issues.apache.org/jira/browse/INFRA-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Joshua Slive resolved INFRA-1189.

    Resolution: Won't Fix

I disagree with this.

While we should encourage downloaders to get KEYS files from our sites, if our sites should
ever go down, KEYS files plus pgp signatures can still be used to verify the authenticity
of a release if someone can establish a PGP chain of trust to a signer in the KEYS file.

I admit that this is mostly theoretical, but if we should ever lose apache.org, we want to
give our users the best possible chance of verifying stuff from the mirrors.

> RSYNC: Change rsync configuration to exclude KEYS files
> -------------------------------------------------------
>                 Key: INFRA-1189
>                 URL: https://issues.apache.org/jira/browse/INFRA-1189
>             Project: Infrastructure
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: Mirrors
>            Reporter: Sebb
> KEYS files are currently picked up by the mirrors.
> However, they should never be trusted on mirrors, so I suggest that they are not made
> It looks like MD5 files are already excluded from mirrors, which is probably a good thing.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message