Hi. Le lun. 13 juil. 2020 à 11:12, Mark Thomas <ma...@apache.org> a écrit : > > On 13/07/2020 06:43, Stefan Bodewig wrote: > > On 2020-07-12, Rob Tompkins wrote: > > > >> given the consistency of the signatures from the plugins…do we need to > >> check them for releases anymore? > > > > Yes, please. Not everybody uses the plugins and even if everybody did a > > misconfiguration could be pulling in the wrong key or a key not > > available from the expected download location. > > +1, for several reasons > > It also catches corrupted uploads. > > It is simpler to fix during a release vote than after a release where > we'd have to at least consider the possibility of malicious activity and > respond accordingly until we could prove it wasn't. > > Mark
Perhaps I don't understand the implications of the question asked; I've been suggesting for more than a couple of years that after the "upload" part, the same script could download the artefacts: Unless I'm missing something, this would rule out the scenario which you've evoked above. Regards, Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
