You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-issues@apache.org by "Joshua Slive (JIRA)" <ji...@apache.org> on 2007/06/14 19:19:26 UTC

[jira] Resolved: (INFRA-1189) RSYNC: Change rsync configuration to exclude KEYS files

     [ https://issues.apache.org/jira/browse/INFRA-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Slive resolved INFRA-1189.
---------------------------------

    Resolution: Won't Fix

I disagree with this.

While we should encourage downloaders to get KEYS files from our sites, if our sites should ever go down, KEYS files plus pgp signatures can still be used to verify the authenticity of a release if someone can establish a PGP chain of trust to a signer in the KEYS file.

I admit that this is mostly theoretical, but if we should ever lose apache.org, we want to give our users the best possible chance of verifying stuff from the mirrors.

> RSYNC: Change rsync configuration to exclude KEYS files
> -------------------------------------------------------
>
>                 Key: INFRA-1189
>                 URL: https://issues.apache.org/jira/browse/INFRA-1189
>             Project: Infrastructure
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: Mirrors
>            Reporter: Sebb
>
> KEYS files are currently picked up by the mirrors.
> However, they should never be trusted on mirrors, so I suggest that they are not made available.
> It looks like MD5 files are already excluded from mirrors, which is probably a good thing.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.