sijie commented on issue #420: Issue 419: dockerfile - auto verify asc file GPG_KEY URL: https://github.com/apache/bookkeeper/pull/420#issuecomment-321340280 @caiok @zhaijack This is a very good discussion. I like the discussion here. I think the core concern is here how to safely distribute/retrieve a KEY ID for verification. The approaches that @zhaijack takes (either getting the Key id from asc file or by importing KEY files) have the same security concern - when both key file or asc file and the package file are faked. from this consideration, since each time when we bump a release, we need to update the version, I am fine we keep both version and corresponding key in the docker file and update on each release. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services
