[jira] [Commented] (BEAM-488) Remove KEYS file

Mon, 25 Jul 2016 23:25:46 -0700 

    [ 
https://issues.apache.org/jira/browse/BEAM-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15393300#comment-15393300
 ] 

ASF GitHub Bot commented on BEAM-488:
-------------------------------------

GitHub user dhalperi opened a pull request:

    https://github.com/apache/incubator-beam/pull/732

    [BEAM-488] Remove KEYS file

    Per discussion, linked in JIRA:
    
    > Bundling PGP keys inside a package is worse than worthless – an
    > attacker can just bundle spoofed keys with a bogus distro! Keys need
    > to be made available from a highly reliable, separate server: Download
    > the main package from a mirror, get PGP keys from apache.org,
    > pgp.mit.edu, etc. and verify.
    >
    > The KEYS file within the Beam source tree should be deleted.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/dhalperi/incubator-beam beam-488

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-beam/pull/732.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #732
    
----
commit a94f71b339120b2e10ff174d50bf5c9d8fe23023
Author: Dan Halperin <dhalp...@google.com>
Date:   2016-07-26T06:24:10Z

    [BEAM-488] Remove KEYS file
    
    Per discussion, linked in JIRA:
    
    > Bundling PGP keys inside a package is worse than worthless – an
    > attacker can just bundle spoofed keys with a bogus distro! Keys need
    > to be made available from a highly reliable, separate server: Download
    > the main package from a mirror, get PGP keys from apache.org,
    > pgp.mit.edu, etc. and verify.
    >
    > The KEYS file within the Beam source tree should be deleted.

----


> Remove KEYS file
> ----------------
>
>                 Key: BEAM-488
>                 URL: https://issues.apache.org/jira/browse/BEAM-488
>             Project: Beam
>          Issue Type: Task
>          Components: project-management
>    Affects Versions: Not applicable
>            Reporter: Daniel Halperin
>            Assignee: Daniel Halperin
>
> http://mail-archives.apache.org/mod_mbox/incubator-general/201606.mbox/%3CCAAS6=7hVLcw6060Un7sXxk+WLLh08DFOSWktC0Aam4F=dye...@mail.gmail.com%3E
> > Bundling PGP keys inside a package is worse than worthless -- an attacker 
> > can
> just bundle spoofed keys with a bogus distro!  Keys need to be made available
> from a highly reliable, separate server: Download the main package from a
> mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.
> > 
> > The KEYS file within the Beam source tree should be deleted.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to