On Sep 24, 2008, at 3:44 PM, Hiram Chirino wrote:
On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen
<[EMAIL PROTECTED]> wrote:
On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote:
On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
The only reason I suggested including the sigs in the source
distro is
because a source build like Apache ServiceMix depends on
hundreds of
third party dependencies.. so an end user would need to end up
trusting LOTs different signatures to get ServiceMix to build.
It would be easier if the end user could just trust the Apache
source
distro and also transitively trust the signatures that we trust
for
our dependencies.
I actually meant to say include the pub key for the dependency in
the
source distro.
How do you validate that the pub key presented to you is genuine?
What
you currently proposing is
src-artifact <- signed with A's privkey, validated with A's pubkey
A's pubkey is inside src-artifact.
NO I'm not. I'm saying that A artifact has 100 dependencies by say 30
different signers.. we include
those 30 pub keys in the src-artifact. NOT the A key!
You have to validate the A source distro the same way you would
validate an ANT based build source distro today.
Ok we can do something where the X +1's issued are sent to a keyserver
along with the OK of a PMC member or human gate (as one does not want
to also automate veto counting) or similar - together with the md5/
sha1. And returned is the later hash signed by some rolling apache key
or x509.
Thanks,
Dw
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
