tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jukka Zitting <jukka.zitt...@gmail.com>
Subject Re: KEYS file and dist.apache.org (Re: [VOTE] Apache Tika 1.3 Release Candidate #1)
Date Mon, 21 Jan 2013 12:13:18 GMT

On Mon, Jan 21, 2013 at 1:39 PM, Michael McCandless
<lucene@mikemccandless.com> wrote:
> I had thought we were supposed to ship the KEYS file next to all release bits.

Yes, my point is just that it's better if it's not expressed as a
*part* of the release candidate.

Otherwise there's a risk of implying that one could/should verify the
signature with the key included in the release, which is troublesome
for people who don't follow the Apache Web of Trust (i.e. the majority
of people out there). The best approach for such people is to download
the KEYS file directly from www.apache.org instead of from the mirror
from which they got the release or (even worse) from within the
release archive. Otherwise an attacker could simply add their own key
to the KEYS file before re-signing a modified release... That's why
for example http://tika.apache.org/download.html points directly to
http://www.apache.org/dist/tika/KEYS instead of using mirrors.


Jukka Zitting

View raw message