Hello, I have some concerns about the download packages for ActiveMQ. I tried to create a Jira account, but it didn't work (even after getting the account signup confirmation), so i'm posting this here in the hope one of the developers will catch it.
for apache-activemq-5.3.2-bin.tar.gz 1) package file/dir permissions allow world-write to key components 2) signing keys : 1 good, 1 expired, 1 not in KEYS file :-( ---------------------------- inconsistent ownership of files in tarball (some 0/0, some 501/501, some david/david) world-writeable files by default: -rwxrwxrwx david/david 83820 2010-04-26 15:57 apache-activemq-5.3.2/bin/wrapper.jar -rwxrwxrwx david/david 592 2010-04-26 15:56 apache-activemq-5.3.2/conf/broker-localhost.cert drwxrwxrwx 501/501 0 2010-04-26 15:57 apache-activemq-5.3.2/webapps/admin/ drwxrwxrwx 501/501 0 2010-04-26 15:57 apache-activemq-5.3.2/webapps/fileserver/ etc... It would make me feel a lot better if ownerships were consistent and there weren't any world writeable components in the distribution tarball. Yeah, i can change them after extraction, but it's probably not good form to ship this way. (and it doesn't make the DoD Security Readiness Review checks very happy) ---------------------------- # ~sdowdy/bin/gpg-quick-verify apache-activemq-5.3.2-bin.tar.gz.asc gpg: keyring `/tmp/gnupg.root.MxBNumyn/secring.gpg' created gpg: keyring `/tmp/gnupg.root.MxBNumyn/pubring.gpg' created gpg: /tmp/gnupg.root.MxBNumyn/trustdb.gpg: trustdb created gpg: key F5BA7E4F: public key "Hiram Chirino <hi...@hiramchirino.com>" imported gpg: key 56F3E01B: public key "David Jencks (geronimo) <david_jen...@yahoo.com>" imported gpg: key 456DFEA9: public key "David M. Johnson (Dave Johnson) <snoopd...@apache.org>" imported gpg: key 17AA5B25: public key "David Johnson <snoopd...@apache.org>" imported gpg: key 69CC103E: public key "Gary Tully (key for apache releases) <gary.tu...@gmail.com>" imported gpg: key 2C983957: public key "Bruce Snyder <bsny...@apache.org>" imported gpg: key 6852C7DA: public key "Dejan Bosanac <de...@nighttale.net>" imported gpg: Total number processed: 7 gpg: imported: 7 (RSA: 1) gpg: no ultimately trusted keys found %%%%% Checking apache-activemq-5.2.0-bin.tar.gz.asc gpg: Signature made Thu 06 Nov 2008 03:48:13 AM MST using DSA key ID 69CC103E gpg: Good signature from "Gary Tully (key for apache releases) <gary.tu...@gmail.com>" ********* Okay, one GOOD signature ********* gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1C79 8312 378D 94C0 4D94 7587 F135 DBE2 69CC 103E %%%%% Checking apache-activemq-5.3.0-bin.tar.gz.asc gpg: Signature made Thu 08 Oct 2009 04:36:52 AM MDT using DSA key ID 6852C7DA gpg: Good signature from "Dejan Bosanac <de...@nighttale.net>" gpg: Note: This key has expired! ******** Good, but expired key ********** Primary key fingerprint: A526 834C C957 4F59 465A 0C88 C31A 3F70 6852 C7DA %%%%% Checking apache-activemq-5.3.2-bin.tar.gz.asc gpg: Signature made Mon 26 Apr 2010 04:24:47 PM MDT using RSA key ID A2F9E313 gpg: Can't check signature: public key not found ******** doesn't exist in supplied KEYS file ********** /bin/rm -rf /tmp/gnupg.root.MxBNumyn thanks, --stephen -- Stephen Dowdy - Systems Administrator - NCAR/RAL 303.497.2869 - sdo...@ucar.edu - http://www.ral.ucar.edu/~sdowdy/