Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hive >> mail # dev >> Removing the PGP sigs from dist

Copy link to this message
Removing the PGP sigs from dist
   The current Apache policy is to not mirror PGP signatures of releases to
the mirrors, because it provides a false sense of trust. For example, if
you look at a mirror such as http://apache.claz.org/hive/hive-0.10.0/,
you'll only see the two tarballs. If you look at the Apache site
http://www.us.apache.org/dist/hive/hive-0.10.0/, you'll see the tarballs,
md5s, and asc.

  In the same way, it doesn't seem right to put the KEYS file in a file
that is included in the mirrors. Fortunately, Apache already has a service
that builds a pgp keys file dynamically from ldap. Hive's file can be found
at: https://people.apache.org/keys/group/hive.asc

  I propose that we remove the KEYS file from our dist area and add some
text to http://hive.apache.org/releases.html that points to how to check
the signatures and checksums of the releases. We can include the old KEYS
file in the site for checking old releases.