On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:
On 2013-11-21, Christian Grobmeier wrote:
On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
On 2013-11-21, Christian Grobmeier wrote:
One no blocker which I just saw: the KEYS file is included in the
dist. Shouldn't it be left out?
I think we've always done it that way in log4net and I know Ant has been
doing so since 2000 - what's wrong with it?
when somebody downloads it and opens the zip, it is tempting to
validate the package against the included KEYS file. But if somebody
could manipulate the content of the package, he also could manipulate
the KEYS file. For that reason the KEYS file should be on a different
location. This is the case, that's why I meant it's not critical. It
is on the other hand tempting to take the included one… nitpickery!
Thanks for pushing out the release!
If this somebody downloaded the signature from the ASF and not from a
mirror then the signature will not work if the zip has been modified, no
matter which KEYS file it contains. Unless you think the attacker has
modifie the signature, but then the KEYS file in the dist area would be
as vulnerable as that.
Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.
cheers
Christian
Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB