Henning Schmiedehausen wrote:
>
> How do you validate that the pub key presented to you is genuine?
Every project worth it's salt has a www.apache.org/dist/{tlp}/KEYS
file which contain that project's contributors signatures, countersigned
or not. Ideally, they are extensively countersigned. But in some cases
they are not.
The delta is; are you trusting www.apache.org/dist/{tlp}/KEYS? Or are
you trusting www.friendlyname.zz/mirrors/apache/dist/{tlp}/KEYS? There's
a pretty major difference :)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
