Daniel, please CTR this so I don't have to add myself to the list for this coming release.
Robert Dale On Thu, Apr 5, 2018 at 1:48 PM, Robert Dale <robd...@gmail.com> wrote: > +1 > > Robert Dale > > On Thu, Apr 5, 2018 at 1:04 PM, Stephen Mallette <spmalle...@gmail.com> > wrote: > >> I think that approach makes sense. From my perspective i don't think this >> needs a PR. maybe just wait until end of day friday to CTR it in? this >> discussion basically serves as review imo. >> >> On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz <m...@gremlin.guru> wrote: >> >> > Here's what I came up with: >> > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 >> > This new approach verifies that the file was signed by anyone who's >> listed >> > in the KEYS file (the one hosted on Apache servers, not the one in the >> > repo) >> > and that the signature matches the one listed on Apache's site. >> > >> > CTR? PR? >> > >> > Cheers, >> > Daniel >> > >> > >> > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz <m...@gremlin.guru> wrote: >> > >> > > I guess we could use the link above, but we would still have to have a >> > > hard coded list of committers, unless we want to allow any Apache >> > committer >> > > to sign the artifacts. But it still sounds more secure to do it this >> way, >> > > I'll give it a try tomorrow. >> > > >> > > >> > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette <spmalle...@gmail.com> >> > > wrote: >> > > >> > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. >> > Reading >> > >> about how to validate the authenticity of a key a bit and it seems >> like >> > a >> > >> reasonable level of validation would be to verify the key against the >> > list >> > >> of apache committers: >> > >> >> > >> https://people.apache.org/keys/committer/ >> > >> >> > >> I guess validate-distribution.sh does that in a sense by allowing >> > through >> > >> certain keys by hardcoding known ones directly into the shell script. >> > >> Maybe >> > >> just leave it like that and we just add new keys as needed? or is it >> > easy >> > >> to alter the validate-distribution.sh script to verify the key >> against >> > >> that >> > >> link above? >> > >> >> > > >> > >> > >
