Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading
about how to validate the authenticity of a key a bit and it seems like a
reasonable level of validation would be to verify the key against the list
of apache committers:


I guess validate-distribution.sh does that in a sense by allowing through
certain keys by hardcoding known ones directly into the shell script. Maybe
just leave it like that and we just add new keys as needed? or is it easy
to alter the validate-distribution.sh script to verify the key against that
link above?

Reply via email to