You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@beam.apache.org by "Daniel Halperin (JIRA)" <ji...@apache.org> on 2016/07/26 06:23:20 UTC
[jira] [Created] (BEAM-488) Remove KEYS file
Daniel Halperin created BEAM-488:
------------------------------------
Summary: Remove KEYS file
Key: BEAM-488
URL: https://issues.apache.org/jira/browse/BEAM-488
Project: Beam
Issue Type: Task
Components: project-management
Affects Versions: Not applicable
Reporter: Daniel Halperin
Assignee: Daniel Halperin
http://mail-archives.apache.org/mod_mbox/incubator-general/201606.mbox/%3CCAAS6=7hVLcw6060Un7sXxk+WLLh08DFOSWktC0Aam4F=DyE0xA@mail.gmail.com%3E
> Bundling PGP keys inside a package is worse than worthless -- an attacker can
just bundle spoofed keys with a bogus distro! Keys need to be made available
from a highly reliable, separate server: Download the main package from a
mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.
>
> The KEYS file within the Beam source tree should be deleted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)