[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-logging-general
Subject:    Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
From:       "Christian Grobmeier" <grobmeier () gmail ! com>
Date:       2013-11-21 9:05:01
Message-ID: 4F5F1C6E-CED5-4B60-A1AC-4904BCD48E90 () gmail ! com
[Download RAW message or body]

On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:

> On 2013-11-21, Christian Grobmeier wrote:
>
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>
>>> On 2013-11-21, Christian Grobmeier wrote:
>
>>>> One no blocker which I just saw: the KEYS file is included in the
>>>> dist. Shouldn't it be left out?
>
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file.  For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included one… nitpickery!
>> Thanks for pushing out the release!
>
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains.  Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.

Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.

cheers
Christian

>
> Stefan


---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
[prev in list] [next in list] [prev in thread] [next in thread]