sijie commented on issue #420: Issue 419: dockerfile - auto verify asc file 
   @caiok @zhaijack 
   This is a very good discussion. I like the discussion here.
   I think the core concern is here how to safely distribute/retrieve a KEY ID 
for verification. The approaches that @zhaijack takes (either getting the Key 
id from asc file or by importing KEY files) have the same security concern - 
when both key file or asc file and the package file are faked.
   from this consideration, since each time when we bump a release, we need to 
update the version, I am fine we keep both version and corresponding key in the 
docker file and update on each release.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services

Reply via email to