On 2011-12-23, Ramon Smits wrote: > I can share some thought about this new key philosophy regarding they > anyone should be able to patch it but I think it is wrong. How can I > validate a package from untrusted sources if they have access to the > 'official' private key ?
The only official binary release is the one you download from an Apache mirror and you can validate the PGP signature. > For example, somebody has created a log4net nuget : > http://nuget.org/packages/log4net > How can I validate if this is an official binary? It is not as the log4net community doesn't have any control over it. Stefan
