KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
On 2013-11-21, Christian Grobmeier wrote: On 21 Nov 2013, at 8:15, Stefan Bodewig wrote: On 2013-11-21, Christian Grobmeier wrote: One no blocker which I just saw: the KEYS file is included in the dist. Shouldn't it be left out? I think we've always done it that way in log4net and I know Ant has been doing so since 2000 - what's wrong with it? when somebody downloads it and opens the zip, it is tempting to validate the package against the included KEYS file. But if somebody could manipulate the content of the package, he also could manipulate the KEYS file. For that reason the KEYS file should be on a different location. This is the case, that's why I meant it's not critical. It is on the other hand tempting to take the included one… nitpickery! Thanks for pushing out the release! If this somebody downloaded the signature from the ASF and not from a mirror then the signature will not work if the zip has been modified, no matter which KEYS file it contains. Unless you think the attacker has modifie the signature, but then the KEYS file in the dist area would be as vulnerable as that. Stefan
Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
On 21 Nov 2013, at 9:56, Stefan Bodewig wrote: On 2013-11-21, Christian Grobmeier wrote: On 21 Nov 2013, at 8:15, Stefan Bodewig wrote: On 2013-11-21, Christian Grobmeier wrote: One no blocker which I just saw: the KEYS file is included in the dist. Shouldn't it be left out? I think we've always done it that way in log4net and I know Ant has been doing so since 2000 - what's wrong with it? when somebody downloads it and opens the zip, it is tempting to validate the package against the included KEYS file. But if somebody could manipulate the content of the package, he also could manipulate the KEYS file. For that reason the KEYS file should be on a different location. This is the case, that's why I meant it's not critical. It is on the other hand tempting to take the included one… nitpickery! Thanks for pushing out the release! If this somebody downloaded the signature from the ASF and not from a mirror then the signature will not work if the zip has been modified, no matter which KEYS file it contains. Unless you think the attacker has modifie the signature, but then the KEYS file in the dist area would be as vulnerable as that. Good point. Not sure if this is actually a problem or not. When I have time I will ask one of the infra gurus. cheers Christian Stefan --- http://www.grobmeier.de @grobmeier GPG: 0xA5CC90DB
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
+1 checked formalities, but didn't interpret the content b/c lack of windows :-) One no blocker which I just saw: the KEYS file is included in the dist. Shouldn't it be left out? Cheers On 18 Nov 2013, at 6:21, Stefan Bodewig wrote: Hi all, three times is a charm. :-) Changes over RC2 is a packaging change (the 3.5 assemblies now contain the ILogExtensions) and two bug fixes. log4net 1.2.13 RC3 is available for review here: https://dist.apache.org/repos/dist/dev/logging/log4net (revision 3550) Details of changes since 1.2.12 are in the release notes: http://logging.apache.org/log4net/log4net-1.2.13/release/release-notes.html I have tested this with Mono and several .NET frameworks using NAnt. The tag is here: https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3 (revision 1542676) Site: http://logging.apache.org/log4net/log4net-1.2.13/ (this is revision 887035 of https://svn.apache.org/repos/infra/websites/production/logging/content/log4net/log4net-1.2.13) RAT Report: http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov 2013 [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thanks! Stefan --- http://www.grobmeier.de @grobmeier GPG: 0xA5CC90DB
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
On 2013-11-21, Christian Grobmeier wrote: +1 checked formalities, but didn't interpret the content b/c lack of windows :-) thanks. One no blocker which I just saw: the KEYS file is included in the dist. Shouldn't it be left out? I think we've always done it that way in log4net and I know Ant has been doing so since 2000 - what's wrong with it? Stefan
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
On 21 Nov 2013, at 8:15, Stefan Bodewig wrote: On 2013-11-21, Christian Grobmeier wrote: +1 checked formalities, but didn't interpret the content b/c lack of windows :-) thanks. One no blocker which I just saw: the KEYS file is included in the dist. Shouldn't it be left out? I think we've always done it that way in log4net and I know Ant has been doing so since 2000 - what's wrong with it? when somebody downloads it and opens the zip, it is tempting to validate the package against the included KEYS file. But if somebody could manipulate the content of the package, he also could manipulate the KEYS file. For that reason the KEYS file should be on a different location. This is the case, that's why I meant it's not critical. It is on the other hand tempting to take the included one… nitpickery! Thanks for pushing out the release! Stefan --- http://www.grobmeier.de @grobmeier GPG: 0xA5CC90DB
AW: [VOTE] Release Log4Net 1.2.13 based on RC3
I've looked over the homepage, the SDK and checked the RAT report. If the binaries are fine, it looks good. +1 -Ursprüngliche Nachricht- Von: Stefan Bodewig [mailto:bode...@apache.org] Gesendet: Montag, 18. November 2013 06:22 An: log4net-dev@logging.apache.org; gene...@logging.apache.org Betreff: [VOTE] Release Log4Net 1.2.13 based on RC3 Hi all, three times is a charm. :-) Changes over RC2 is a packaging change (the 3.5 assemblies now contain the ILogExtensions) and two bug fixes. log4net 1.2.13 RC3 is available for review here: https://dist.apache.org/repos/dist/dev/logging/log4net (revision 3550) Details of changes since 1.2.12 are in the release notes: http://logging.apache.org/log4net/log4net-1.2.13/release/release- notes.html I have tested this with Mono and several .NET frameworks using NAnt. The tag is here: https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3 (revision 1542676) Site: http://logging.apache.org/log4net/log4net-1.2.13/ (this is revision 887035 of https://svn.apache.org/repos/infra/websites/production/logging/content/lo g4net/log4net-1.2.13) RAT Report: http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov 2013 [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thanks! Stefan
[VOTE] Release Log4Net 1.2.13 based on RC3
Hi all, three times is a charm. :-) Changes over RC2 is a packaging change (the 3.5 assemblies now contain the ILogExtensions) and two bug fixes. log4net 1.2.13 RC3 is available for review here: https://dist.apache.org/repos/dist/dev/logging/log4net (revision 3550) Details of changes since 1.2.12 are in the release notes: http://logging.apache.org/log4net/log4net-1.2.13/release/release-notes.html I have tested this with Mono and several .NET frameworks using NAnt. The tag is here: https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3 (revision 1542676) Site: http://logging.apache.org/log4net/log4net-1.2.13/ (this is revision 887035 of https://svn.apache.org/repos/infra/websites/production/logging/content/log4net/log4net-1.2.13) RAT Report: http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov 2013 [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thanks! Stefan
