On Mon, Jan 21, 2013 at 7:13 AM, Jukka Zitting <[email protected]> wrote: > Hi, > > On Mon, Jan 21, 2013 at 1:39 PM, Michael McCandless > <[email protected]> wrote: >> I had thought we were supposed to ship the KEYS file next to all release >> bits. > > Yes, my point is just that it's better if it's not expressed as a > *part* of the release candidate. > > Otherwise there's a risk of implying that one could/should verify the > signature with the key included in the release, which is troublesome > for people who don't follow the Apache Web of Trust (i.e. the majority > of people out there). The best approach for such people is to download > the KEYS file directly from www.apache.org instead of from the mirror > from which they got the release or (even worse) from within the > release archive. Otherwise an attacker could simply add their own key > to the KEYS file before re-signing a modified release... That's why > for example http://tika.apache.org/download.html points directly to > http://www.apache.org/dist/tika/KEYS instead of using mirrors.
OK this makes sense! Thanks for the explanation Jukka. Mike McCandless http://blog.mikemccandless.com
