: Proposal: Improve security by limiting committer access in SVN
-- KEYS Compromise Exposure
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
5. This is sufficient to poison a download mirror site with
a counterfeit download so long as the ASC, SHA1, and MD5 locations
can
-Original Message-
From: Daniel Shahaf [mailto:danie...@apache.org]
Sent: Monday, April 29, 2013 15:58
To: Dennis E. Hamilton
Cc: dev@openoffice.apache.org; pesce...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in
SVN -- KEYS Compromise Exposure
Today, I did some digging around with respect to a different project and I
noticed a vulnerability that had not been discussed:
1. Assume that the credentials of an Apache OpenOffice Committer are
compromised (or the committer goes rogue).
2. This allows the compromised/rogue credentials to
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
5. This is sufficient to poison a download mirror site with
a counterfeit download so long as the ASC, SHA1, and MD5 locations
can also be spoofed without the user noticing.
Right. The normal answer here is They will have
: Daniel Shahaf [mailto:danie...@apache.org]
Sent: Monday, April 29, 2013 15:58
To: Dennis E. Hamilton
Cc: dev@openoffice.apache.org; pesce...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN --
KEYS Compromise Exposure
Dennis E. Hamilton wrote on Mon, Apr 29
: Improve security by limiting committer access in SVN
-- KEYS Compromise Exposure
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
5. This is sufficient to poison a download mirror site with
a counterfeit download so long as the ASC, SHA1, and MD5 locations
can also be spoofed