[
https://issues.apache.org/jira/browse/ARROW-926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991441#comment-15991441
]
Julian Hyde commented on ARROW-926:
-----------------------------------
When you download a tar ball you need to check that it is genuine. So, you
check it against keys on a site you trust, namely apache.org. You should
definitely not check your tar ball against the KEYS file in the tar ball!
In fact, my main reason to not include KEYS in the git repo is that it is easy
for a release manager to accidentally include the KEYS file in the release. I'd
say that https://github.com/apache/arrow/blob/master/KEYS is reasonably secure,
except that it hasn't necessarily been vetted by a release vote.
> Update KEYS to include wesm
> ---------------------------
>
> Key: ARROW-926
> URL: https://issues.apache.org/jira/browse/ARROW-926
> Project: Apache Arrow
> Issue Type: New Feature
> Reporter: Wes McKinney
> Assignee: Wes McKinney
> Fix For: 0.3.0
>
>
> If we want to remove KEYS from git we should do that separately. I see that
> Apache Ant (which is given as an example in the ASF guide to GPG security)
> has a KEYS file https://github.com/apache/ant/blob/master/KEYS.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
