Details
-
Task
-
Status: Resolved
-
P2
-
Resolution: Fixed
-
Not applicable
-
None
Description
> Bundling PGP keys inside a package is worse than worthless – an attacker can
just bundle spoofed keys with a bogus distro! Keys need to be made available
from a highly reliable, separate server: Download the main package from a
mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.
>
> The KEYS file within the Beam source tree should be deleted.
Attachments
Issue Links
- links to