You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by "Henk P. Penning" <he...@cs.uu.nl> on 2008/09/15 17:35:04 UTC
PGP key A74A32FC not in KEYS file
Hi Sean,
I do some checking on the apache.org Maven repo. I noticed
that your public pgp key A74A32FC can't be found in any
KEYS file.
Please take a look at
http://people.apache.org/~henkp/repo/
... and add your public key to some proper KEYS file.
Don't hesitate to mail me if you have questions.
Thanks a lot ; regards,
Henk Penning -- apache.org infrastructure
---------------------------------------------------------------- _
Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/ M penning@cs.uu.nl \_/
Re: PGP key A74A32FC not in KEYS file
Posted by Simon Kitching <sk...@apache.org>.
Henk P. Penning schrieb:
> On Mon, 15 Sep 2008, Sean Mullan wrote:
>
>> Date: Mon, 15 Sep 2008 15:15:17 -0400
>> From: Sean Mullan <Se...@Sun.COM>
>> To: Henk P. Penning <he...@cs.uu.nl>
>> Cc: Sean Mullan <mu...@apache.org>, repository@apache.org
>> Subject: Re: PGP key A74A32FC not in KEYS file
>>
>> Hi Henk,
>>
>> I created a KEYS file with my public key on people.apache.org in the
>> directory
>> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache/santuario
>>
>>
>> Let me know if that fixes the problem.
>
> Hi Sean,
>
> yup ; that fixed it ; thanks for the quick response.
Is this really a valid solution?
I thought that
(a) there should be only a few KEYS files, because otherwise it is a
pain for users to download them, and
(b) that KEYS files should *never* be downloaded from mirror servers,
but always from the apache servers. The main point of the keys file
AFAIK is to detect when someone has cracked a mirror server and
installed a trojaned download. If the key is downloaded from the same
mirror server then the sig adds no security at all because the cracker
can also install their own KEYS file on the mirror server at the same
time that they install their trojaned binary.
Regards,
Simon
Re: PGP key A74A32FC not in KEYS file
Posted by "Henk P. Penning" <he...@cs.uu.nl>.
On Mon, 15 Sep 2008, Sean Mullan wrote:
> Date: Mon, 15 Sep 2008 15:15:17 -0400
> From: Sean Mullan <Se...@Sun.COM>
> To: Henk P. Penning <he...@cs.uu.nl>
> Cc: Sean Mullan <mu...@apache.org>, repository@apache.org
> Subject: Re: PGP key A74A32FC not in KEYS file
>
> Hi Henk,
>
> I created a KEYS file with my public key on people.apache.org in the
> directory
> /www/people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache/santuario
>
> Let me know if that fixes the problem.
Hi Sean,
yup ; that fixed it ; thanks for the quick response.
A minor point : Please try to get your key signed ;
A key is as good as its sigs ... ;
http://www.biglumber.com/
> --Sean
Regards,
Henk Penning
> Henk P. Penning wrote:
>> Hi Sean,
>>
>> I do some checking on the apache.org Maven repo. I noticed
>> that your public pgp key A74A32FC can't be found in any
>> KEYS file.
>>
>> Please take a look at
>>
>> http://people.apache.org/~henkp/repo/
>>
>> ... and add your public key to some proper KEYS file.
>> Don't hesitate to mail me if you have questions.
>>
>> Thanks a lot ; regards,
>>
>> Henk Penning -- apache.org infrastructure
>>
>> ---------------------------------------------------------------- _
>> Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
>> Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
>> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
>> http://people.cs.uu.nl/henkp/ M penning@cs.uu.nl \_/
>
>
---------------------------------------------------------------- _
Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/ M penning@cs.uu.nl \_/