Keys, Was: cleanup of /www/www.apache.org/dist/*

[Aristedes Maniatis <ar...@ish.com.au>]

On 28/11/2008, at 6:42 PM, Henk P. Penning wrote:

>    wouldn't it be nice to have a formal description of the
>    ((sub-)sub-)project structure, sitting in a database,
>    instead of trying to glean this info from '/dist/' ?
>
>    also, the KEYS file setup stinks imho ; for a proposal
>    to improve things, see
>
>      http://people.apache.org/~henkp/trust/


Should the storage of these keys be considered as part of the LDAP  
project underway now? It seems logical to keep identity information  
for each committer in the one place and if that place is going to be  
LDAP... They could still be published automatically to https://apache.org 
... for public consumption.


> The KEYS, .md5, .sig and .asc files are distributed to the mirrors.  
> I think it serves no useful purpose. It would be easy to have them  
> in /dist/ and not distribute  them to the mirrors (exclude them in  
> rsyncd.conf).

I'd go further: it is actually quite detrimental to have these files  
mirrored since there is not the level of control over mirrors that  
there is over apache.org, and if someone wanted to inject fake files  
into a mirror, they also just need to change the MD5, etc files. But  
if the general public were used to finding signatures and hashes at https://apache.org/something 
  then they build a level of trust that that location is authentic.

Ari Maniatis


-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A