On Sat, Jun 13, 2015 at 10:35 PM, Niclas Hedhman <nic...@hedhman.org> wrote: > Cédric, > you are very vague about it, and it could well be that everything is ok. > But I suggest that you let infra@ give a opinion about the security level > of the solution that you running with. > > For instance, (IIUIC) one rogue PMC member could compromise the private key > secretly, and no one would be the wiser. > > Also, you even say yourself "Checking the release is a human job." and how > do you indicate that you have checked a particular release ---> You sign it > with your (the reviewer) own key. Otherwise, how do you know what you > reviewed is what is being released?
I would like to take a moment and make a point that I very much share Niclas' concerns. I have no trust in "collectively owned" keys whatsover. Thanks, Roman. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
