@Daniel, Right, this is about poisoning the committer keys but not touching the SVN, instead, counterfeiting a binary release downstream, but faking the asc, md5, and sha1 too. (These would not be at dist, and depend on folks not noticing because the instructions for how to check correctly are so obscure. It is very far-fetched, since there are easier exploits that rely on user's not being equipped to verify what they are getting and not relying on the authentic download location.
Another way would be to attack the release candidate in the release manager's ASF FreeBSD account, although someone who checks the signature might notice that it is by an unexpected committer. Again, reasonably far-fetched. Two committers would have to be compromised, or the Release Manager would have to be compromised and not notice that there is a new fingerprint in the RM's profile. I like that last one. It has a certain movie-plot plausibility. Who ever looks for funny business in their profile, or odd materials in their keys entry? (Note that it is the binaries that are compromised, there is no messing with the source tarballs.) - Dennis -----Original Message----- From: Daniel Shahaf [mailto:danie...@apache.org] Sent: Monday, April 29, 2013 15:58 To: Dennis E. Hamilton Cc: dev@openoffice.apache.org; pesce...@apache.org Subject: Re: Proposal: Improve security by limiting committer access in SVN -- KEYS Compromise Exposure Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700: > 5. This is sufficient to poison a download mirror site with > a counterfeit download so long as the ASC, SHA1, and MD5 locations > can also be spoofed without the user noticing. Right. The normal answer here is "They will have to commit to the dist/ repository which will cause a post-commit mail which someone will notice". I'd be interested in hearing (on infra-dev@) how you break this without assuming a mirror gets compromised (if _that_ happens, it's game over for users who don't verify PGP sigs). --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org