+1 Robert Dale
On Thu, Apr 5, 2018 at 1:04 PM, Stephen Mallette <spmalle...@gmail.com> wrote: > I think that approach makes sense. From my perspective i don't think this > needs a PR. maybe just wait until end of day friday to CTR it in? this > discussion basically serves as review imo. > > On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz <m...@gremlin.guru> wrote: > > > Here's what I came up with: > > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 > > This new approach verifies that the file was signed by anyone who's > listed > > in the KEYS file (the one hosted on Apache servers, not the one in the > > repo) > > and that the signature matches the one listed on Apache's site. > > > > CTR? PR? > > > > Cheers, > > Daniel > > > > > > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz <m...@gremlin.guru> wrote: > > > > > I guess we could use the link above, but we would still have to have a > > > hard coded list of committers, unless we want to allow any Apache > > committer > > > to sign the artifacts. But it still sounds more secure to do it this > way, > > > I'll give it a try tomorrow. > > > > > > > > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette <spmalle...@gmail.com> > > > wrote: > > > > > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. > > Reading > > >> about how to validate the authenticity of a key a bit and it seems > like > > a > > >> reasonable level of validation would be to verify the key against the > > list > > >> of apache committers: > > >> > > >> https://people.apache.org/keys/committer/ > > >> > > >> I guess validate-distribution.sh does that in a sense by allowing > > through > > >> certain keys by hardcoding known ones directly into the shell script. > > >> Maybe > > >> just leave it like that and we just add new keys as needed? or is it > > easy > > >> to alter the validate-distribution.sh script to verify the key against > > >> that > > >> link above? > > >> > > > > > >