www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kitching <skitch...@apache.org>
Subject Re: PGP key A74A32FC not in KEYS file
Date Tue, 16 Sep 2008 06:59:25 GMT
Henk P. Penning schrieb:
> On Mon, 15 Sep 2008, Sean Mullan wrote:
>
>> Date: Mon, 15 Sep 2008 15:15:17 -0400
>> From: Sean Mullan <Sean.Mullan@Sun.COM>
>> To: Henk P. Penning <henkp@cs.uu.nl>
>> Cc: Sean Mullan <mullan@apache.org>, repository@apache.org
>> Subject: Re: PGP key A74A32FC not in KEYS file
>>
>> Hi Henk,
>>
>> I created a KEYS file with my public key on people.apache.org in the 
>> directory 
>> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache/santuario 
>>
>>
>> Let me know if that fixes the problem.
>
> Hi Sean,
>
>   yup ; that fixed it ; thanks for the quick response.

Is this really a valid solution?

I thought that
(a) there should be only a few KEYS files, because otherwise it is a 
pain for users to download them, and
(b) that KEYS files should *never* be downloaded from mirror servers, 
but always from the apache servers. The main point of the keys file 
AFAIK is to detect when someone has cracked a mirror server and 
installed a trojaned download. If the key is downloaded from the same 
mirror server then the sig adds no security at all because the cracker 
can also install their own KEYS file on the mirror server at the same 
time that they install their trojaned binary.

Regards,
Simon


Mime
View raw message