Hi Benson, On Jun 27, 2011, at 1:37 PM, Benson Margulies wrote:
> Chris, > > If my goal was to hoodwink you, I'd create a bogus key that claimed to > be owned by an Apache person, put it in a KEYS file, and include in > the release, and sign the release with it. If I was lucky, you'd just > verify the release with the embedded key, and I'd have succeeded. We > want people to use keys from some source OTHER than the mirrors to > verify. There is a non-zero risk of compromise of the many mirrors. Sorry, missing the point here. How would you hoodwink me by including a bogus key in a KEYS file included in a distro that only Apache people have the right to seed any easier than hoodwinking me by placing that same bogus key in a place that only Apache people have the right to see (the /dist directory on minotaur)? Cheers, Chris ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Chris Mattmann, Ph.D. Senior Computer Scientist NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA Office: 171-266B, Mailstop: 171-246 Email: chris.a.mattm...@nasa.gov WWW: http://sunset.usc.edu/~mattmann/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Adjunct Assistant Professor, Computer Science Department University of Southern California, Los Angeles, CA 90089 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
