Hi, On Mon, Jan 21, 2013 at 1:39 PM, Michael McCandless <luc...@mikemccandless.com> wrote: > I had thought we were supposed to ship the KEYS file next to all release bits.
Yes, my point is just that it's better if it's not expressed as a *part* of the release candidate. Otherwise there's a risk of implying that one could/should verify the signature with the key included in the release, which is troublesome for people who don't follow the Apache Web of Trust (i.e. the majority of people out there). The best approach for such people is to download the KEYS file directly from www.apache.org instead of from the mirror from which they got the release or (even worse) from within the release archive. Otherwise an attacker could simply add their own key to the KEYS file before re-signing a modified release... That's why for example http://tika.apache.org/download.html points directly to http://www.apache.org/dist/tika/KEYS instead of using mirrors. BR, Jukka Zitting
