[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-logging-general
Subject: Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
From: "Christian Grobmeier" <grobmeier () gmail ! com>
Date: 2013-11-21 9:05:01
Message-ID: 4F5F1C6E-CED5-4B60-A1AC-4904BCD48E90 () gmail ! com
[Download RAW message or body]
On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:
> On 2013-11-21, Christian Grobmeier wrote:
>
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>
>>> On 2013-11-21, Christian Grobmeier wrote:
>
>>>> One no blocker which I just saw: the KEYS file is included in the
>>>> dist. Shouldn't it be left out?
>
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file. For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included oneā¦ nitpickery!
>> Thanks for pushing out the release!
>
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains. Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.
Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.
cheers
Christian
>
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic