caiok commented on issue #420: Issue 419: dockerfile - auto verify asc file 
   What kind of connection error did you get?
   Your second solution don't add any further security, because you are 
downloading that file from the same (potentially compromised) source. 
   Another way could be to place key fingerprint of releases signers in a file 
of the github repo (e.g. bookkeeper/KEYS or whatever) that will keep the key 
fingerprint of every released version in a easily parsable format (e.g. 
"4.5.0\tB3D56514") and download it via github static.
   I don't know if is a feasible solution, but it will provide the same 
original security level (for compromise the released files one should gather 
write access to released files and to the github repo, that is much more 
difficult). The update of this file should be done in the release procedure. It 
is very similar to the original solution (someone should commit an update to a 
file), but in this case you don't need to update docker image but a general 
utility file.
   @sijie What do you think about it?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services

Reply via email to