You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@bookkeeper.apache.org by gi...@git.apache.org on 2017/08/09 18:23:24 UTC

[GitHub] sijie commented on issue #420: Issue 419: dockerfile - auto verify asc file GPG_KEY

sijie commented on issue #420: Issue 419: dockerfile - auto verify asc file GPG_KEY
URL: https://github.com/apache/bookkeeper/pull/420#issuecomment-321340280
 
 
   @caiok @zhaijack 
   
   This is a very good discussion. I like the discussion here.
   
   I think the core concern is here how to safely distribute/retrieve a KEY ID for verification. The approaches that @zhaijack takes (either getting the Key id from asc file or by importing KEY files) have the same security concern - when both key file or asc file and the package file are faked.
   
   from this consideration, since each time when we bump a release, we need to update the version, I am fine we keep both version and corresponding key in the docker file and update on each release.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services