incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: key signing
Date Thu, 11 Oct 2012 01:31:30 GMT
On Wed, Oct 10, 2012 at 7:53 PM, Ian Holsman <> wrote:
> On Oct 11, 2012, at 10:44 AM, Greg Stein <> wrote:
>> (assume secure Infrastructure)
> That's a pretty big assumption isn't it?

Empirically, we've had break-ins, so we can assume it will happen
again. But now you're talking that somebody has to change the svn/dist
system to install new tarballs and new checksums. Without being
noticed once control is regained.

> There have been public instances where open source infrastructures have been hacked,
and releases have been messed with.
> I think keys removes the need for the assumption.

Not too much. We still instruct users "take the signatures and verify
them against". John Blackhat could replace the
signatures and install his entry into KEYS.

I still see no need for key-based signing here :-)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message