https://issues.apache.org/ooo/show_bug.cgi?id=122430
--- Comment #1 from [email protected] --- I know that you publish GPG signatures, but frankly, there's the "bootstrap" problem of how does the user know he has your correct GPG key? X509 solves that to an acceptable degree (and anyone can still also check the GPG sigs if she doesn't trust public CAs). -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.
