sbp commented on issue #236: URL: https://github.com/apache/tooling-trusted-releases/issues/236#issuecomment-3542146570
If we sign the vote info then we'd have to maintain a long lived key, and we'd have to work out revocation and rotation flows. We could store the information in the audit log instead, which will be tamper resistant when #214 is resolved, but it is not efficient to query. We could store the information in the database, which is efficient to query, but it is not tamper resistant. We would need either to make the audit log efficient to query, or to make the database tamper resistant. Since this question has arisen before, I have opened issue #329 to discuss this further. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
