xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <robertburrelldon...@blueyonder.co.uk>
Subject Re: PMC Work Items
Date Fri, 28 Feb 2003 23:14:11 GMT
On Friday, February 28, 2003, at 10:54 PM, Berin Lautenbach wrote:

> Robert,


>> therefore, it seems to me that a release signed by a key which resides 
>> on an ASF machine can be trusted as much as a release downloaded 
>> directly from an ASF machine.
>> so, in security terms, moving from unsigned releases on an ASF machine 
>> to signed releases on mirror with keys on ASF machines is security 
>> neutral.
>> moving to a secure apache wide system of signed keys would be a definite 
>> improvement. (but there may be practical problems to be overcome.)
> Absolutely agree with all of the above.  Thus my question about "what is 
> the aim".  If the aim is to remain in a neutral state, then OK.  It just 
> seems to me that given we have to address one problem, then there is an 
> opportunity to address the wider problem and look at how we can overcome 
> the practical problems you mention.  They have all been overcome before, 
> and anything that promotes "trust" in the Apache brand has to be a good 
> thing?


i think that it's important to understand the primary purpose behind the 
current key signing system is to allow mirrors to take the strain from 
daedelus without making security worse than it is at the moment. so, it's 
the positive 'promotion of trust' angle which is the one to take.
IMHO the main practical issue is that apache committers are on five 
continents. i've never met any other committers in person. getting all 
release managers together in a room where everyone can sign everyone else'
s (code signing) key is never going to happen.

> I think I might go one step further in remaining security neutral.  We 
> also need to more strongly "advertise" the need for people to now 
> validate signatures against a key sourced from an ASF machine to 
> encourage people to take that extra step.  Easily done however.  (Part of 
> the download page etc.)

i am a release manager over in jakarta-land. i'd strongly advocate 
repeating the 'you must validate the signatures' message as much as 
possible. i personally try to include it on every news item and 
announcement i create for a release.

over in jakarta-land the message is also repeated in the download page (eg 
http://jakarta.apache.org/site/binindex.cgi) and often in the download 
directory README.html (eg. 
http://apache.ttlhost.com/jakarta/commons/beanutils/). i'd say that these 
are good practices and worthy of imitation.

- robert

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message