You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@beam.apache.org by "Daniel Halperin (JIRA)" <ji...@apache.org> on 2016/07/26 06:23:20 UTC

[jira] [Created] (BEAM-488) Remove KEYS file

Daniel Halperin created BEAM-488:
------------------------------------

             Summary: Remove KEYS file
                 Key: BEAM-488
                 URL: https://issues.apache.org/jira/browse/BEAM-488
             Project: Beam
          Issue Type: Task
          Components: project-management
    Affects Versions: Not applicable
            Reporter: Daniel Halperin
            Assignee: Daniel Halperin


http://mail-archives.apache.org/mod_mbox/incubator-general/201606.mbox/%3CCAAS6=7hVLcw6060Un7sXxk+WLLh08DFOSWktC0Aam4F=DyE0xA@mail.gmail.com%3E

> Bundling PGP keys inside a package is worse than worthless -- an attacker can
just bundle spoofed keys with a bogus distro!  Keys need to be made available
from a highly reliable, separate server: Download the main package from a
mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.
> 
> The KEYS file within the Beam source tree should be deleted.
 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)