Re: [DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
Done, thanks for the reminder. Cheers, Daniel On Wed, May 2, 2018 at 5:23 AM, Robert Dale wrote: > Daniel, please CTR this so I don't have to add myself to the list for this > coming release. > > Robert Dale > > On Thu, Apr 5, 2018 at 1:48 PM, Robert Dale wrote: > > > +1 > > > > Robert Dale > > > > On Thu, Apr 5, 2018 at 1:04 PM, Stephen Mallette > > wrote: > > > >> I think that approach makes sense. From my perspective i don't think > this > >> needs a PR. maybe just wait until end of day friday to CTR it in? this > >> discussion basically serves as review imo. > >> > >> On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz > wrote: > >> > >> > Here's what I came up with: > >> > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 > >> > This new approach verifies that the file was signed by anyone who's > >> listed > >> > in the KEYS file (the one hosted on Apache servers, not the one in the > >> > repo) > >> > and that the signature matches the one listed on Apache's site. > >> > > >> > CTR? PR? > >> > > >> > Cheers, > >> > Daniel > >> > > >> > > >> > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz > wrote: > >> > > >> > > I guess we could use the link above, but we would still have to > have a > >> > > hard coded list of committers, unless we want to allow any Apache > >> > committer > >> > > to sign the artifacts. But it still sounds more secure to do it this > >> way, > >> > > I'll give it a try tomorrow. > >> > > > >> > > > >> > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette > > >> > > wrote: > >> > > > >> > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. > >> > Reading > >> > >> about how to validate the authenticity of a key a bit and it seems > >> like > >> > a > >> > >> reasonable level of validation would be to verify the key against > the > >> > list > >> > >> of apache committers: > >> > >> > >> > >> https://people.apache.org/keys/committer/ > >> > >> > >> > >> I guess validate-distribution.sh does that in a sense by allowing > >> > through > >> > >> certain keys by hardcoding known ones directly into the shell > script. > >> > >> Maybe > >> > >> just leave it like that and we just add new keys as needed? or is > it > >> > easy > >> > >> to alter the validate-distribution.sh script to verify the key > >> against > >> > >> that > >> > >> link above? > >> > >> > >> > > > >> > > >> > > > > >
Re: [DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
Daniel, please CTR this so I don't have to add myself to the list for this coming release. Robert Dale On Thu, Apr 5, 2018 at 1:48 PM, Robert Dale wrote: > +1 > > Robert Dale > > On Thu, Apr 5, 2018 at 1:04 PM, Stephen Mallette > wrote: > >> I think that approach makes sense. From my perspective i don't think this >> needs a PR. maybe just wait until end of day friday to CTR it in? this >> discussion basically serves as review imo. >> >> On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz wrote: >> >> > Here's what I came up with: >> > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 >> > This new approach verifies that the file was signed by anyone who's >> listed >> > in the KEYS file (the one hosted on Apache servers, not the one in the >> > repo) >> > and that the signature matches the one listed on Apache's site. >> > >> > CTR? PR? >> > >> > Cheers, >> > Daniel >> > >> > >> > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz wrote: >> > >> > > I guess we could use the link above, but we would still have to have a >> > > hard coded list of committers, unless we want to allow any Apache >> > committer >> > > to sign the artifacts. But it still sounds more secure to do it this >> way, >> > > I'll give it a try tomorrow. >> > > >> > > >> > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette >> > > wrote: >> > > >> > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. >> > Reading >> > >> about how to validate the authenticity of a key a bit and it seems >> like >> > a >> > >> reasonable level of validation would be to verify the key against the >> > list >> > >> of apache committers: >> > >> >> > >> https://people.apache.org/keys/committer/ >> > >> >> > >> I guess validate-distribution.sh does that in a sense by allowing >> > through >> > >> certain keys by hardcoding known ones directly into the shell script. >> > >> Maybe >> > >> just leave it like that and we just add new keys as needed? or is it >> > easy >> > >> to alter the validate-distribution.sh script to verify the key >> against >> > >> that >> > >> link above? >> > >> >> > > >> > >> > >
Re: [DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
+1 Robert Dale On Thu, Apr 5, 2018 at 1:04 PM, Stephen Mallette wrote: > I think that approach makes sense. From my perspective i don't think this > needs a PR. maybe just wait until end of day friday to CTR it in? this > discussion basically serves as review imo. > > On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz wrote: > > > Here's what I came up with: > > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 > > This new approach verifies that the file was signed by anyone who's > listed > > in the KEYS file (the one hosted on Apache servers, not the one in the > > repo) > > and that the signature matches the one listed on Apache's site. > > > > CTR? PR? > > > > Cheers, > > Daniel > > > > > > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz wrote: > > > > > I guess we could use the link above, but we would still have to have a > > > hard coded list of committers, unless we want to allow any Apache > > committer > > > to sign the artifacts. But it still sounds more secure to do it this > way, > > > I'll give it a try tomorrow. > > > > > > > > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette > > > wrote: > > > > > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. > > Reading > > >> about how to validate the authenticity of a key a bit and it seems > like > > a > > >> reasonable level of validation would be to verify the key against the > > list > > >> of apache committers: > > >> > > >> https://people.apache.org/keys/committer/ > > >> > > >> I guess validate-distribution.sh does that in a sense by allowing > > through > > >> certain keys by hardcoding known ones directly into the shell script. > > >> Maybe > > >> just leave it like that and we just add new keys as needed? or is it > > easy > > >> to alter the validate-distribution.sh script to verify the key against > > >> that > > >> link above? > > >> > > > > > >
Re: [DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
I think that approach makes sense. From my perspective i don't think this needs a PR. maybe just wait until end of day friday to CTR it in? this discussion basically serves as review imo. On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz wrote: > Here's what I came up with: > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 > This new approach verifies that the file was signed by anyone who's listed > in the KEYS file (the one hosted on Apache servers, not the one in the > repo) > and that the signature matches the one listed on Apache's site. > > CTR? PR? > > Cheers, > Daniel > > > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz wrote: > > > I guess we could use the link above, but we would still have to have a > > hard coded list of committers, unless we want to allow any Apache > committer > > to sign the artifacts. But it still sounds more secure to do it this way, > > I'll give it a try tomorrow. > > > > > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette > > wrote: > > > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. > Reading > >> about how to validate the authenticity of a key a bit and it seems like > a > >> reasonable level of validation would be to verify the key against the > list > >> of apache committers: > >> > >> https://people.apache.org/keys/committer/ > >> > >> I guess validate-distribution.sh does that in a sense by allowing > through > >> certain keys by hardcoding known ones directly into the shell script. > >> Maybe > >> just leave it like that and we just add new keys as needed? or is it > easy > >> to alter the validate-distribution.sh script to verify the key against > >> that > >> link above? > >> > > >
Re: [DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
Here's what I came up with: https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 This new approach verifies that the file was signed by anyone who's listed in the KEYS file (the one hosted on Apache servers, not the one in the repo) and that the signature matches the one listed on Apache's site. CTR? PR? Cheers, Daniel On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz wrote: > I guess we could use the link above, but we would still have to have a > hard coded list of committers, unless we want to allow any Apache committer > to sign the artifacts. But it still sounds more secure to do it this way, > I'll give it a try tomorrow. > > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette > wrote: > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading >> about how to validate the authenticity of a key a bit and it seems like a >> reasonable level of validation would be to verify the key against the list >> of apache committers: >> >> https://people.apache.org/keys/committer/ >> >> I guess validate-distribution.sh does that in a sense by allowing through >> certain keys by hardcoding known ones directly into the shell script. >> Maybe >> just leave it like that and we just add new keys as needed? or is it easy >> to alter the validate-distribution.sh script to verify the key against >> that >> link above? >> >
Re: [DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
I guess we could use the link above, but we would still have to have a hard coded list of committers, unless we want to allow any Apache committer to sign the artifacts. But it still sounds more secure to do it this way, I'll give it a try tomorrow. On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette wrote: > Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading > about how to validate the authenticity of a key a bit and it seems like a > reasonable level of validation would be to verify the key against the list > of apache committers: > > https://people.apache.org/keys/committer/ > > I guess validate-distribution.sh does that in a sense by allowing through > certain keys by hardcoding known ones directly into the shell script. Maybe > just leave it like that and we just add new keys as needed? or is it easy > to alter the validate-distribution.sh script to verify the key against that > link above? >
[DISCUSS] gpg check in validate-distribution.sh [Was: [VOTE] TinkerPop 3.3.2 Release]
Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading about how to validate the authenticity of a key a bit and it seems like a reasonable level of validation would be to verify the key against the list of apache committers: https://people.apache.org/keys/committer/ I guess validate-distribution.sh does that in a sense by allowing through certain keys by hardcoding known ones directly into the shell script. Maybe just leave it like that and we just add new keys as needed? or is it easy to alter the validate-distribution.sh script to verify the key against that link above?