Roman Shaposhnik wrote on Fri, Feb 24, 2012 at 17:40:12 -0800: > On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <[email protected]> wrote: > >> 2. The items with "missing sigs" mentioned in the checker page > >> belong to some package repo you publish. It is clear that, > >> according to the rules, these packages must be signed, or > >> removed. > >> > >> Regards, > >> > >> HPP > >> > > > > Sure, since Roman was the release manager I guess he will have to sign > > every single file. > > I just opened the following ticket: > > https://issues.apache.org/jira/browse/BIGTOP-421 > > I'm totally willing to make repositories signed. However, that won't stop the > script from complaining. > > Will it be possible to satisfy apache infra requirements with signed > apt/yum/zypper repos?
Yes. The point is that releases must be cryptographically signed and verifiable. Signing the .asc files in the apt trees DOES NOT guarantee that. Signing the releases in the method specific to apt trees does. Follow the policy, not the scripts that implement it. > Linux distributions have been using this > mechanism to guarantee > authenticity of distributed artifacts for at least 7 years by now and I'm > pretty > sure it has passed the test of time as far as infosec policies are concerned. > > Henk, what's your take on this? > > Thanks, > Roman.
