serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Zhakov <i...@apache.org>
Subject Re: Location of KEYS file
Date Sun, 13 Dec 2015 18:37:21 GMT
On 13 December 2015 at 21:08, Lieven Govaerts <lgo@apache.org> wrote:
> Hi,
>
> the download page says:
>
> "First download the KEYS as well as the asc signature file for the
> particular distribution. Make sure you get these files from the main
> distribution directory, rather than from a mirror. "
>
> Yet the KEYS file we distribute is on people.apache.org [1] where the
> KEYS files of all other projects are. So we are not distributing the
> file from the location that we stress people to use.
> I see other Apache projects having a copy of their KEYS file in the
> dist folder where they distribute the source tarballs from.
>
> Any objections against doing the same thing?
>
The problem that tarballs are usually downloaded from mirrors (via
plain http://), so downloading KEYS while from there doesn't increase
protection from forging tarball.

-- 
Ivan Zhakov

Mime
View raw message