On 13 December 2015 at 21:08, Lieven Govaerts <l...@apache.org> wrote: > Hi, > > the download page says: > > "First download the KEYS as well as the asc signature file for the > particular distribution. Make sure you get these files from the main > distribution directory, rather than from a mirror. " > > Yet the KEYS file we distribute is on people.apache.org [1] where the > KEYS files of all other projects are. So we are not distributing the > file from the location that we stress people to use. > I see other Apache projects having a copy of their KEYS file in the > dist folder where they distribute the source tarballs from. > > Any objections against doing the same thing? > The problem that tarballs are usually downloaded from mirrors (via plain http://), so downloading KEYS while from there doesn't increase protection from forging tarball.
-- Ivan Zhakov