Am 03.09.19 um 12:02 schrieb Vladimir Sitnikov: > Hi, > > What do you think of https://github.com/apache/jmeter/pull/488 ?
I think it is a nice idea, but isn't it a bit different in semantics to the current checksum based validation? At the moment we check for the exact version of the binary, while with pgp based validation we would check for an exact version released by the owner of the key. Do you think this is a problem? On the other hand I trust that mechanism all the time for my ubuntu distro and it would be the same for windows, BSD and all the others, right? Felix > > It enables to use PGP for artifact verification, so it would simplify > dependency updates without loosing too much. > > For instance, recent Jackson and Apache Tika updates could have been served > by > <trusted-key id='c9fbaa83a8753994' group='com.fasterxml.jackson.core' /> > and > <trusted-key id='4a51a45b944ffd51' group='org.apache.tika' /> > > Vladimir >
