Done, thanks for the reminder. Cheers, Daniel
On Wed, May 2, 2018 at 5:23 AM, Robert Dale <robd...@gmail.com> wrote: > Daniel, please CTR this so I don't have to add myself to the list for this > coming release. > > Robert Dale > > On Thu, Apr 5, 2018 at 1:48 PM, Robert Dale <robd...@gmail.com> wrote: > > > +1 > > > > Robert Dale > > > > On Thu, Apr 5, 2018 at 1:04 PM, Stephen Mallette <spmalle...@gmail.com> > > wrote: > > > >> I think that approach makes sense. From my perspective i don't think > this > >> needs a PR. maybe just wait until end of day friday to CTR it in? this > >> discussion basically serves as review imo. > >> > >> On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz <m...@gremlin.guru> > wrote: > >> > >> > Here's what I came up with: > >> > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 > >> > This new approach verifies that the file was signed by anyone who's > >> listed > >> > in the KEYS file (the one hosted on Apache servers, not the one in the > >> > repo) > >> > and that the signature matches the one listed on Apache's site. > >> > > >> > CTR? PR? > >> > > >> > Cheers, > >> > Daniel > >> > > >> > > >> > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz <m...@gremlin.guru> > wrote: > >> > > >> > > I guess we could use the link above, but we would still have to > have a > >> > > hard coded list of committers, unless we want to allow any Apache > >> > committer > >> > > to sign the artifacts. But it still sounds more secure to do it this > >> way, > >> > > I'll give it a try tomorrow. > >> > > > >> > > > >> > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette <spmalle...@gmail.com > > > >> > > wrote: > >> > > > >> > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. > >> > Reading > >> > >> about how to validate the authenticity of a key a bit and it seems > >> like > >> > a > >> > >> reasonable level of validation would be to verify the key against > the > >> > list > >> > >> of apache committers: > >> > >> > >> > >> https://people.apache.org/keys/committer/ > >> > >> > >> > >> I guess validate-distribution.sh does that in a sense by allowing > >> > through > >> > >> certain keys by hardcoding known ones directly into the shell > script. > >> > >> Maybe > >> > >> just leave it like that and we just add new keys as needed? or is > it > >> > easy > >> > >> to alter the validate-distribution.sh script to verify the key > >> against > >> > >> that > >> > >> link above? > >> > >> > >> > > > >> > > >> > > > > >