You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Aristedes Maniatis <ar...@ish.com.au> on 2008/12/07 23:51:44 UTC
Keys, Was: cleanup of /www/www.apache.org/dist/*
On 28/11/2008, at 6:42 PM, Henk P. Penning wrote:
> wouldn't it be nice to have a formal description of the
> ((sub-)sub-)project structure, sitting in a database,
> instead of trying to glean this info from '/dist/' ?
>
> also, the KEYS file setup stinks imho ; for a proposal
> to improve things, see
>
> http://people.apache.org/~henkp/trust/
Should the storage of these keys be considered as part of the LDAP
project underway now? It seems logical to keep identity information
for each committer in the one place and if that place is going to be
LDAP... They could still be published automatically to https://apache.org
... for public consumption.
> The KEYS, .md5, .sig and .asc files are distributed to the mirrors.
> I think it serves no useful purpose. It would be easy to have them
> in /dist/ and not distribute them to the mirrors (exclude them in
> rsyncd.conf).
I'd go further: it is actually quite detrimental to have these files
mirrored since there is not the level of control over mirrors that
there is over apache.org, and if someone wanted to inject fake files
into a mirror, they also just need to change the MD5, etc files. But
if the general public were used to finding signatures and hashes at https://apache.org/something
then they build a level of trust that that location is authentic.
Ari Maniatis
-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A