serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: Location of KEYS file
Date Sun, 13 Dec 2015 21:37:38 GMT
On Sun, Dec 13, 2015 at 12:37 PM, Ivan Zhakov <ivan@apache.org> wrote:

> On 13 December 2015 at 21:08, Lieven Govaerts <lgo@apache.org> wrote:
> > Hi,
> >
> > the download page says:
> >
> > "First download the KEYS as well as the asc signature file for the
> > particular distribution. Make sure you get these files from the main
> > distribution directory, rather than from a mirror. "
> >
> > Yet the KEYS file we distribute is on people.apache.org [1] where the
> > KEYS files of all other projects are. So we are not distributing the
> > file from the location that we stress people to use.
> > I see other Apache projects having a copy of their KEYS file in the
> > dist folder where they distribute the source tarballs from.
> >
> > Any objections against doing the same thing?
>

If you mean, have the download page specify
https://people.apache.org/keys/group/serf.asc, then I agree. I don't see a
need to make a copy or try to maintain a KEYS file anywhere else.


> The problem that tarballs are usually downloaded from mirrors (via
> plain http://), so downloading KEYS while from there doesn't increase
> protection from forging tarball.
>

It already covers that: "Make sure you get these files from the
main distribution directory, rather than from a mirror. "

Cheers,
-g

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message