Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: > Not too much. We still instruct users "take the signatures and verify > them against blah.apache.org/KEYS". John Blackhat could replace the > signatures and install his entry into KEYS.
If you use https://people.apache.org/keys/ instead of KEYS files in the dist/ tree, John would have to crack two machines rather than one. </plug> :-P --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org