incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 15:50:39 GMT
On 29/10/2007, Gilles Scokart <> wrote:
> > -----Original Message-----
> > From: sebb []
> >
> > Even if you can't establish a trust path, the PGP signature gives a
> > bit more assurance than a hash. The KEY file should be in SVN, so you
> > can ensure that the person that added the key to the KEY file was at
> > least a committer to SVN.
> That's only for the users who have https access to SVN (and who can reliably verify the
SSH key of the server).  The
> others have to assume that server from which they are reading the KEY file is the real

Strictly speaking, yes.

The KEY file can be downloaded without needing https access, but as
you point out, this is not necessarily a guarantee of authenticity.

However, it is one more obstacle that a hacker would have to surmount
- they would have to subvert the SVN host as well as the main apache
host holding the KEY file.

> Gilles
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message