therefore, it seems to me that a release signed by a key which resides on an ASF machine can be trusted as much as a release downloaded directly from an ASF machine.
so, in security terms, moving from unsigned releases on an ASF machine to signed releases on mirror with keys on ASF machines is security neutral.
moving to a secure apache wide system of signed keys would be a definite improvement. (but there may be practical problems to be overcome.)
Absolutely agree with all of the above. Thus my question about "what is the aim". If the aim is to remain in a neutral state, then OK. It just seems to me that given we have to address one problem, then there is an opportunity to address the wider problem and look at how we can overcome the practical problems you mention. They have all been overcome before, and anything that promotes "trust" in the Apache brand has to be a good thing?
I think I might go one step further in remaining security neutral. We also need to more strongly "advertise" the need for people to now validate signatures against a key sourced from an ASF machine to encourage people to take that extra step. Easily done however. (Part of the download page etc.)
Cheers, Berin
--------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
