caiok commented on issue #420: Issue 419: dockerfile - auto verify asc file GPG_KEY URL: https://github.com/apache/bookkeeper/pull/420#issuecomment-321299527 @zhaijack Please note that the risk is not only that apache website will be compromised, but rather a man in the middle attack. If we should choose option 2 we should remove all verification code from dockerfile, because it give a misleading security feeling. I strongly prefer to follow industry standards and verify packages, though. Take a look at the [official images guidelines about security](https://github.com/docker-library/official-images#security). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services