rombert commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in keyring URL: https://github.com/apache/sling-tooling-release/pull/2#issuecomment-431372901 The worst-case scenario I'm thinking of is the following: 1. PMC member "Alice" goes on vacation. 2. Malicious actor "Charlie" creates a GPG key and pushes it to the keyserver, using Alice's email 3. Charlie breaks into Alice's Nexus account and uploads a malicious release 4. Charlie forges an email coming from Alice and starts a vote on the dev list with the malicious release 5. PMC members vote +1 on the release and the key is automatically accepted ---- Granted, it's a pretty convoluted scenario but it only needs one weakness - the Nexus account credentials from a PMC member. Not automatically importing GPG keys would add a second layer. It might be that I'm overthinking this and that this is not a really big issue :-) But I fully agree that at least displaying the error message from GPG would be a great improvement.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
