serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Zhakov <>
Subject Re: Location of KEYS file
Date Sun, 13 Dec 2015 18:37:21 GMT
On 13 December 2015 at 21:08, Lieven Govaerts <> wrote:
> Hi,
> the download page says:
> "First download the KEYS as well as the asc signature file for the
> particular distribution. Make sure you get these files from the main
> distribution directory, rather than from a mirror. "
> Yet the KEYS file we distribute is on [1] where the
> KEYS files of all other projects are. So we are not distributing the
> file from the location that we stress people to use.
> I see other Apache projects having a copy of their KEYS file in the
> dist folder where they distribute the source tarballs from.
> Any objections against doing the same thing?
The problem that tarballs are usually downloaded from mirrors (via
plain http://), so downloading KEYS while from there doesn't increase
protection from forging tarball.

Ivan Zhakov

View raw message