Re: Specific Steps to Release

[Harmeet Bedi <ha...@kodemuse.com>]

----- Original Message -----
From: "Noel J. Bergman" <no...@devtech.com>
> Yes, talking about signing.  I know about the tools.  It was the
procedures
> I was wondering about.  Do we have any notion of a web of trust, or do I
> simply make for myself an ad hoc key and stick it in a file?  Do we have a
> KEY file already, with keys for previous Release Managers?


I don't believe it has ever been done for James.

It is however highly recommended. Some time back the passwd file was stolen
and posted on the net.

The real danger was that someone would add trojon horse to builds, folks
would download and a few years later modified(hacked) Apache software would
run on a lot of sites.

This actual attack highlighted the importance of signing releases. I believe
the process for key pair generation and use is documented to some extent in
Orielly SSH book http://www.oreilly.com/catalog/sshtdg/index.html.
I should have this book somewhere and should be able to verify. This
information should also be somewhere on the Apache site.

I think this is the process - you generate a key pair, put your public key
at Apache machines and your private key with yourself. Login to ssh via
using this key pair. Sign release using your private key.
I don't know if there is a web of trust in place. It would be good and would
be nice if Apache was a CA, but at present I don't think trust relatioships
like certificate chains etc is in place.

Harmeet


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Distribution signing

["Noel J. Bergman" <no...@devtech.com>]

Er, make that infrastructure@.

	--- Noel

-----Original Message-----
From: Noel J. Bergman [mailto:noel@devtech.com]
Sent: Thursday, January 02, 2003 13:48
To: James Developers List
Subject: RE: Distribution signing


Want to continue this discussion on community@?  Sander Striker is talking
about the general issue now, and he didn't mention that point at all.

	--- Noel

-----Original Message-----
From: Danny Angus [mailto:danny@apache.org]
Sent: Thursday, January 02, 2003 13:24
To: James Developers List
Subject: RE: Distribution signing


you should get people to sign your key too, create a "web of trust".
d.

> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: 02 January 2003 17:46
> To: James Developers List
> Subject: Distribution signing
>
>
> > > do I simply make for myself an ad hoc key and stick it in a file?
> > > Do we have a KEY file already, with keys for previous Release
> Managers?
>
> > I don't believe it has ever been done for James.
> > It is however highly recommended.
> > The real danger was that someone would add trojon horse to builds
>
> And that danger increases with the push to use mirrors for downloading.
>
> I went ahead and used GnuPG, created a new key for signing,
> prepared a KEYS
> file, signed the distribution files following the instuctions on the GnuPG
> site, and uploaded the KEYS and digital signatures to the download
> directories.  Also setup a HEADER.html and README.html.
>
> I did not use the same key that I use for SSH.  The key I generated is
> unique to file signing.
>
> I'll update KEYS, HEADER.html and README.html files into the CVS.
>
> 	--- Noel
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Distribution signing

["Noel J. Bergman" <no...@devtech.com>]

Want to continue this discussion on community@?  Sander Striker is talking
about the general issue now, and he didn't mention that point at all.

	--- Noel

-----Original Message-----
From: Danny Angus [mailto:danny@apache.org]
Sent: Thursday, January 02, 2003 13:24
To: James Developers List
Subject: RE: Distribution signing


you should get people to sign your key too, create a "web of trust".
d.

> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: 02 January 2003 17:46
> To: James Developers List
> Subject: Distribution signing
>
>
> > > do I simply make for myself an ad hoc key and stick it in a file?
> > > Do we have a KEY file already, with keys for previous Release
> Managers?
>
> > I don't believe it has ever been done for James.
> > It is however highly recommended.
> > The real danger was that someone would add trojon horse to builds
>
> And that danger increases with the push to use mirrors for downloading.
>
> I went ahead and used GnuPG, created a new key for signing,
> prepared a KEYS
> file, signed the distribution files following the instuctions on the GnuPG
> site, and uploaded the KEYS and digital signatures to the download
> directories.  Also setup a HEADER.html and README.html.
>
> I did not use the same key that I use for SSH.  The key I generated is
> unique to file signing.
>
> I'll update KEYS, HEADER.html and README.html files into the CVS.
>
> 	--- Noel
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Distribution signing

[Danny Angus <da...@apache.org>]

you should get people to sign your key too, create a "web of trust".
d.

> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: 02 January 2003 17:46
> To: James Developers List
> Subject: Distribution signing
>
>
> > > do I simply make for myself an ad hoc key and stick it in a file?
> > > Do we have a KEY file already, with keys for previous Release
> Managers?
>
> > I don't believe it has ever been done for James.
> > It is however highly recommended.
> > The real danger was that someone would add trojon horse to builds
>
> And that danger increases with the push to use mirrors for downloading.
>
> I went ahead and used GnuPG, created a new key for signing,
> prepared a KEYS
> file, signed the distribution files following the instuctions on the GnuPG
> site, and uploaded the KEYS and digital signatures to the download
> directories.  Also setup a HEADER.html and README.html.
>
> I did not use the same key that I use for SSH.  The key I generated is
> unique to file signing.
>
> I'll update KEYS, HEADER.html and README.html files into the CVS.
>
> 	--- Noel
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Distribution signing

["Noel J. Bergman" <no...@devtech.com>]

> > do I simply make for myself an ad hoc key and stick it in a file?
> > Do we have a KEY file already, with keys for previous Release Managers?

> I don't believe it has ever been done for James.
> It is however highly recommended.
> The real danger was that someone would add trojon horse to builds

And that danger increases with the push to use mirrors for downloading.

I went ahead and used GnuPG, created a new key for signing, prepared a KEYS
file, signed the distribution files following the instuctions on the GnuPG
site, and uploaded the KEYS and digital signatures to the download
directories.  Also setup a HEADER.html and README.html.

I did not use the same key that I use for SSH.  The key I generated is
unique to file signing.

I'll update KEYS, HEADER.html and README.html files into the CVS.

	--- Noel


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>