Hi, On Tue, Apr 22, 2008 at 11:27 AM, Thomas Mueller <[EMAIL PROTECTED]> wrote: > 4) After uploading, a hacker replaced the files and checksums > [...] > Item 4: Download mirrors could cross-check each other. Are they doing > that? Another idea is to set up a daemon somewhere that downloads > Jackrabbit from time to time and compares against the initial set of > files (and sends a mail if there is a problem). Is there a service > somewhere that does that?
That's why the download pages point people to get the checksums from www.apache.org instead of one of the mirrors. A hacker would need to compromise www.apache.org to break the checksums. And even then the attacker couldn't fake the GPG signatures bound to the Apache web of trust. I'd be more concerned about 3 (or other attacks targetting the RM) as a potential attack vector against our users, but frankly I think the risk for that is insignificant. BR, Jukka Zitting
