On Mon, Jun 13, 2016 at 11:37 AM, Julian Hyde <jh...@apache.org> wrote:
> 2. It’s customary (required?) for there to be a KEYS file in > https://dist.apache.org/repos/dist/dev/incubator/beam/ > <https://dist.apache.org/repos/dist/dev/incubator/beam/>. Maybe include it > next release? The KEYS file is required, by Release Distribution Policy. http://www.apache.org/dev/release-distribution#sigs-and-sums Projects MUST publish a "KEYS" file in their distribution directory which contains all public keys used to sign artifacts. Signing keys used at Apache MUST be published in the KEYS file and SHOULD be made available through the global public keyserver network. [...] Since the KEYS file is not part of the artifacts being voted on, there's no reason to wait to resolve this issue by committing the keys file to the following location: https://dist.apache.org/repos/dist/release/incubator/beam/KEYS > But I imported > https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS > <https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS> > easily enough. Bundling PGP keys inside a package is worse than worthless -- an attacker can just bundle spoofed keys with a bogus distro! Keys need to be made available from a highly reliable, separate server: Download the main package from a mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify. The KEYS file within the Beam source tree should be deleted. (This doesn't block the release.) Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org