Changing the subject to something more accurate due to thread drift.
On Mon, Aug 27, 2012 at 1:38 PM, Jim Jagielski j...@jagunet.com wrote:
On Aug 27, 2012, at 11:21 AM, Rob Weir robw...@apache.org wrote:
Identity != Trust.
Identity + Reputation == Trust.
The signature only guarantees
On Aug 27, 2012, at 2:13 PM, Rob Weir robw...@apache.org wrote:
People trust the Apache brand.
They download Apache stuff from somewhere.
That stuff is signed by an entity that is associated
with the Apache brand.
As you know, that last step does not occur today. If it did, then
we'd
On Mon, Aug 27, 2012 at 2:48 PM, Jim Jagielski j...@jagunet.com wrote:
On Aug 27, 2012, at 2:13 PM, Rob Weir robw...@apache.org wrote:
People trust the Apache brand.
They download Apache stuff from somewhere.
That stuff is signed by an entity that is associated
with the Apache brand.
As
Great question, Jim,
1. The first substantial difference is that the operating system that runs the
binary installer *always* and automatically checks the embedded signature and
warns users when there is no such signature or when the signature is not from a
trusted source (in the PKI
