andersk commented on issue #41678: URL: https://github.com/apache/arrow/issues/41678#issuecomment-2113519633
That doesn’t solve the issue. There are 16 distinct keys in that new keyring file, 5 of which are expired, so presumably it’s changing quite frequently. Like I said, downloading a new copies of the keyring every time it changes defeats the whole point of verifying PGP signatures, because an attacker who can tamper with the binary can also tamper with the keyring. Zulip needs a stable root of trust for our external dependencies that can be baked into our release tarball. Ideally we would like it to be the one that’s already baked into our existing release tarball, so that our existing release tarball isn’t broken. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
