On 13/07/2020 06:43, Stefan Bodewig wrote: > On 2020-07-12, Rob Tompkins wrote: > >> given the consistency of the signatures from the plugins…do we need to >> check them for releases anymore? > > Yes, please. Not everybody uses the plugins and even if everybody did a > misconfiguration could be pulling in the wrong key or a key not > available from the expected download location.
+1, for several reasons It also catches corrupted uploads. It is simpler to fix during a release vote than after a release where we'd have to at least consider the possibility of malicious activity and respond accordingly until we could prove it wasn't. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
