[
https://issues.apache.org/jira/browse/SLING-9173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418178#comment-17418178
]
Konrad Windszus commented on SLING-9173:
----------------------------------------
Thanks for that hint. That should be documented somewhere for our downstream
consumers to make it possible for them to verify a release is really from us.
Usually importing the public keys from a second (pretty trusted) source like an
the apache.org website with a valid certificate is good enough for an initial
trust level....
Maybe a simpler way for verifying can be somehow be established with
https://www.simplify4u.org/pgpverify-maven-plugin/check-mojo.html.... Haven't
tried it out yet, though.
> Add KEYS file to https://dist.apache.org/repos/dist/release/sling
> -----------------------------------------------------------------
>
> Key: SLING-9173
> URL: https://issues.apache.org/jira/browse/SLING-9173
> Project: Sling
> Issue Type: Bug
> Components: General
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
>
> The link at https://sling.apache.org/downloads.cgi to
> https://www.apache.org/dist/sling/KEYS is broken, because the KEYS file has
> been removed in 2013 from the dist directory.
> The file needs to be reestablished and
> https://sling.apache.org/documentation/development/release-management.html#appendix-a-create-and-add-your-key-to-peopleapacheorg
> need to be updated.
> Compare with the discussion at
> https://lists.apache.org/thread.html/ra6807cd9c8d7921f4441f621b43c92aa90cb0380b0190e0da1461939%40%3Cdev.sling.apache.org%3E
> It is not allowed to instead just reference the file from
> https://people.apache.org/keys/group/sling.asc, for a reasoning look at
> https://people.apache.org/keys/
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
