[ https://issues.apache.org/jira/browse/BEAM-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15393300#comment-15393300 ]
ASF GitHub Bot commented on BEAM-488: ------------------------------------- GitHub user dhalperi opened a pull request: https://github.com/apache/incubator-beam/pull/732 [BEAM-488] Remove KEYS file Per discussion, linked in JIRA: > Bundling PGP keys inside a package is worse than worthless – an > attacker can just bundle spoofed keys with a bogus distro! Keys need > to be made available from a highly reliable, separate server: Download > the main package from a mirror, get PGP keys from apache.org, > pgp.mit.edu, etc. and verify. > > The KEYS file within the Beam source tree should be deleted. You can merge this pull request into a Git repository by running: $ git pull https://github.com/dhalperi/incubator-beam beam-488 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-beam/pull/732.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #732 ---- commit a94f71b339120b2e10ff174d50bf5c9d8fe23023 Author: Dan Halperin <dhalp...@google.com> Date: 2016-07-26T06:24:10Z [BEAM-488] Remove KEYS file Per discussion, linked in JIRA: > Bundling PGP keys inside a package is worse than worthless – an > attacker can just bundle spoofed keys with a bogus distro! Keys need > to be made available from a highly reliable, separate server: Download > the main package from a mirror, get PGP keys from apache.org, > pgp.mit.edu, etc. and verify. > > The KEYS file within the Beam source tree should be deleted. ---- > Remove KEYS file > ---------------- > > Key: BEAM-488 > URL: https://issues.apache.org/jira/browse/BEAM-488 > Project: Beam > Issue Type: Task > Components: project-management > Affects Versions: Not applicable > Reporter: Daniel Halperin > Assignee: Daniel Halperin > > http://mail-archives.apache.org/mod_mbox/incubator-general/201606.mbox/%3CCAAS6=7hVLcw6060Un7sXxk+WLLh08DFOSWktC0Aam4F=dye...@mail.gmail.com%3E > > Bundling PGP keys inside a package is worse than worthless -- an attacker > > can > just bundle spoofed keys with a bogus distro! Keys need to be made available > from a highly reliable, separate server: Download the main package from a > mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify. > > > > The KEYS file within the Beam source tree should be deleted. > -- This message was sent by Atlassian JIRA (v6.3.4#6332)