On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <[email protected]> wrote: >> 2. The items with "missing sigs" mentioned in the checker page >> belong to some package repo you publish. It is clear that, >> according to the rules, these packages must be signed, or >> removed. >> >> Regards, >> >> HPP >> > > Sure, since Roman was the release manager I guess he will have to sign > every single file. > I just opened the following ticket: > https://issues.apache.org/jira/browse/BIGTOP-421
I'm totally willing to make repositories signed. However, that won't stop the script from complaining. Will it be possible to satisfy apache infra requirements with signed apt/yum/zypper repos? Linux distributions have been using this mechanism to guarantee authenticity of distributed artifacts for at least 7 years by now and I'm pretty sure it has passed the test of time as far as infosec policies are concerned. Henk, what's your take on this? Thanks, Roman.
