serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lieven Govaerts <...@mobsol.be>
Subject Re: Location of KEYS file
Date Sun, 13 Dec 2015 22:03:20 GMT
On Sun, Dec 13, 2015 at 10:37 PM, Greg Stein <gstein@gmail.com> wrote:
> On Sun, Dec 13, 2015 at 12:37 PM, Ivan Zhakov <ivan@apache.org> wrote:
>
>> On 13 December 2015 at 21:08, Lieven Govaerts <lgo@apache.org> wrote:
>> > Hi,
>> >
>> > the download page says:
>> >
>> > "First download the KEYS as well as the asc signature file for the
>> > particular distribution. Make sure you get these files from the main
>> > distribution directory, rather than from a mirror. "
>> >
>> > Yet the KEYS file we distribute is on people.apache.org [1] where the
>> > KEYS files of all other projects are. So we are not distributing the
>> > file from the location that we stress people to use.
>> > I see other Apache projects having a copy of their KEYS file in the
>> > dist folder where they distribute the source tarballs from.
>> >
>> > Any objections against doing the same thing?
>>
>
> If you mean, have the download page specify
> https://people.apache.org/keys/group/serf.asc, then I agree. I don't see a
> need to make a copy or try to maintain a KEYS file anywhere else.
>
>
>> The problem that tarballs are usually downloaded from mirrors (via
>> plain http://), so downloading KEYS while from there doesn't increase
>> protection from forging tarball.
>>
>
> It already covers that: "Make sure you get these files from the
> main distribution directory, rather than from a mirror. "

But people.apache.org is not our main distribution directory, it's
somewhere else. The text on our download page is surely taken over
from the httpd project, who have their KEYS file on dist, just like
many other apache projects. That warning to not use a mirror only
makes sense for the dist location too.

I'm fine with keeping the KEYS file on people.apache.org, but then we
should delete the line about using the main distribution directory.

Lieven

> Cheers,
> -g

Mime
View raw message