Mirrors. Lots of non-apache people work for all those many companies that operate all those many, many, mirrors.
On Mon, Jun 27, 2011 at 4:48 PM, Mattmann, Chris A (388J) <chris.a.mattm...@jpl.nasa.gov> wrote: > Hi Benson, > > On Jun 27, 2011, at 1:37 PM, Benson Margulies wrote: > >> Chris, >> >> If my goal was to hoodwink you, I'd create a bogus key that claimed to >> be owned by an Apache person, put it in a KEYS file, and include in >> the release, and sign the release with it. If I was lucky, you'd just >> verify the release with the embedded key, and I'd have succeeded. We >> want people to use keys from some source OTHER than the mirrors to >> verify. There is a non-zero risk of compromise of the many mirrors. > > Sorry, missing the point here. How would you hoodwink me by including a bogus > key in a KEYS file included in a distro that only Apache people have the > right to seed any easier than hoodwinking me by placing that same bogus key > in a place that only Apache people have the right to see (the /dist directory > on minotaur)? > > Cheers, > Chris > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Chris Mattmann, Ph.D. > Senior Computer Scientist > NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA > Office: 171-266B, Mailstop: 171-246 > Email: chris.a.mattm...@nasa.gov > WWW: http://sunset.usc.edu/~mattmann/ > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Adjunct Assistant Professor, Computer Science Department > University of Southern California, Los Angeles, CA 90089 USA > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
