james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject Distribution signing
Date Thu, 02 Jan 2003 17:46:28 GMT
> > do I simply make for myself an ad hoc key and stick it in a file?
> > Do we have a KEY file already, with keys for previous Release Managers?

> I don't believe it has ever been done for James.
> It is however highly recommended.
> The real danger was that someone would add trojon horse to builds

And that danger increases with the push to use mirrors for downloading.

I went ahead and used GnuPG, created a new key for signing, prepared a KEYS
file, signed the distribution files following the instuctions on the GnuPG
site, and uploaded the KEYS and digital signatures to the download
directories.  Also setup a HEADER.html and README.html.

I did not use the same key that I use for SSH.  The key I generated is
unique to file signing.

I'll update KEYS, HEADER.html and README.html files into the CVS.

	--- Noel

To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

View raw message