Daniel Halperin created BEAM-488: ------------------------------------ Summary: Remove KEYS file Key: BEAM-488 URL: https://issues.apache.org/jira/browse/BEAM-488 Project: Beam Issue Type: Task Components: project-management Affects Versions: Not applicable Reporter: Daniel Halperin Assignee: Daniel Halperin
http://mail-archives.apache.org/mod_mbox/incubator-general/201606.mbox/%3CCAAS6=7hVLcw6060Un7sXxk+WLLh08DFOSWktC0Aam4F=dye...@mail.gmail.com%3E > Bundling PGP keys inside a package is worse than worthless -- an attacker can just bundle spoofed keys with a bogus distro! Keys need to be made available from a highly reliable, separate server: Download the main package from a mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify. > > The KEYS file within the Beam source tree should be deleted. -- This message was sent by Atlassian JIRA (v6.3.4#6332)