james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danny Angus" <da...@apache.org>
Subject RE: Distribution signing
Date Thu, 02 Jan 2003 18:24:02 GMT
you should get people to sign your key too, create a "web of trust".
d.

> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: 02 January 2003 17:46
> To: James Developers List
> Subject: Distribution signing
>
>
> > > do I simply make for myself an ad hoc key and stick it in a file?
> > > Do we have a KEY file already, with keys for previous Release
> Managers?
>
> > I don't believe it has ever been done for James.
> > It is however highly recommended.
> > The real danger was that someone would add trojon horse to builds
>
> And that danger increases with the push to use mirrors for downloading.
>
> I went ahead and used GnuPG, created a new key for signing,
> prepared a KEYS
> file, signed the distribution files following the instuctions on the GnuPG
> site, and uploaded the KEYS and digital signatures to the download
> directories.  Also setup a HEADER.html and README.html.
>
> I did not use the same key that I use for SSH.  The key I generated is
> unique to file signing.
>
> I'll update KEYS, HEADER.html and README.html files into the CVS.
>
> 	--- Noel
>
>
> --
> To unsubscribe, e-mail:
> <mailto:james-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:james-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>


Mime
View raw message