Gotcha! OK makes sense. I wasn't sure how the mirroring system worked, and whether or not the mirrors were read-only downstream of the Apache source (I guess we can't ensure that, right?)
If that's the case, then I'm +1 for what you're saying. Cheers, Chris On Jun 27, 2011, at 1:48 PM, Benson Margulies wrote: > Mirrors. > > Lots of non-apache people work for all those many companies that > operate all those many, many, mirrors. > > > > On Mon, Jun 27, 2011 at 4:48 PM, Mattmann, Chris A (388J) > <chris.a.mattm...@jpl.nasa.gov> wrote: >> Hi Benson, >> >> On Jun 27, 2011, at 1:37 PM, Benson Margulies wrote: >> >>> Chris, >>> >>> If my goal was to hoodwink you, I'd create a bogus key that claimed to >>> be owned by an Apache person, put it in a KEYS file, and include in >>> the release, and sign the release with it. If I was lucky, you'd just >>> verify the release with the embedded key, and I'd have succeeded. We >>> want people to use keys from some source OTHER than the mirrors to >>> verify. There is a non-zero risk of compromise of the many mirrors. >> >> Sorry, missing the point here. How would you hoodwink me by including a >> bogus key in a KEYS file included in a distro that only Apache people have >> the right to seed any easier than hoodwinking me by placing that same bogus >> key in a place that only Apache people have the right to see (the /dist >> directory on minotaur)? >> >> Cheers, >> Chris >> >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> Chris Mattmann, Ph.D. >> Senior Computer Scientist >> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA >> Office: 171-266B, Mailstop: 171-246 >> Email: chris.a.mattm...@nasa.gov >> WWW: http://sunset.usc.edu/~mattmann/ >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> Adjunct Assistant Professor, Computer Science Department >> University of Southern California, Los Angeles, CA 90089 USA >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Chris Mattmann, Ph.D. Senior Computer Scientist NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA Office: 171-266B, Mailstop: 171-246 Email: chris.a.mattm...@nasa.gov WWW: http://sunset.usc.edu/~mattmann/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Adjunct Assistant Professor, Computer Science Department University of Southern California, Los Angeles, CA 90089 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
