https://bz.apache.org/bugzilla/show_bug.cgi?id=57109
Sebb <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID |--- --- Comment #3 from Sebb <[email protected]> --- The documentation problem still exists. If an attacker manages to replace the sig file with a self-contained signed file, the release file will not be checked against the sig unless it is specified. Agreed it is very unlikely - especially if the sig is downloaded from an ASF server - but we should not be giving bad advice. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
