On 11 October 2012 02:39, Daniel Shahaf <d...@daniel.shahaf.name> wrote: > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: >> Not too much. We still instruct users "take the signatures and verify >> them against blah.apache.org/KEYS". John Blackhat could replace the >> signatures and install his entry into KEYS. > > If you use https://people.apache.org/keys/ instead of KEYS files in the > dist/ tree, John would have to crack two machines rather than one.
Last time I looked, the process downloads the key from a PGP server (which does not provide any auth at all) using the key id(s) in LDAP. I assume you mean John would have to obtain credentials to be able to alter the key id in the signer's LDAP record? AFAIK, this is the same LDAP that is used to authenticate SVN access (which is all that is needed to upload new archives and KEYS). Seems like a single point of failure to me - or maybe I am missing something here? > </plug> :-P > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
