Stefan Fritsch wrote: > On Sunday 21 September 2014 21:13:50, Richard van den Berg wrote: >> Package formats like apk and jar avoid this chicken and egg problem >> by hashing the files inside a package, and storing those hashes in >> a manifest file. Signatures only sign the manifest file. The >> manifest itself and the signature files are not part of the >> manifest, but are part of the package. So a package including it's >> signature(s) is still a single file. > > This is bad design and will inevitably lead to security issues (as has > been demonstrated by Android and apk). One must check the signature > first, and only if the signature matches, start parsing complex file > formats. And yes, zip is complex enough to be a problem.
It is true that an embedded signature requires more complicated code, but it also simplifies the parts that the user has to understand. Perfect code with a bad user experience will also inevitably lead to security issues. I'm guessing that ar format is simpler than zip, so that'd be helpful. .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds