dave2wave opened a new issue, #5: URL: https://github.com/apache/tooling-docs/issues/5
Packages are validated/verified in the following ways: 1. Check that the detached signature matches the public signing key. 2. Check that the SHA512(or others) matches the package. 3. Optional check a signed binaries digital certificate issued on demand. We have some issues to consider: 1. The Web of Trust is not dependable. 2. We can leak signed release candidates. 3. Most users don't verify completely. We need to discuss how we can make verification easy for any downstream consumer of ASF software. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For additional commands, e-mail: dev-h...@tooling.apache.org
