-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Larry,
> From: Larry Jones > > Many browsers will automagically unzip the file without removing the .gz > from the file name -- that may be all that's going on. I'd buy this concept if it were a consistent behavior. When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I get file sizes consistent with values on download page and a PGP signature check reports a valid file. I'm still unable to download "*.gz.sig" for binaries with Internet Explorer 6 and the same download with Netscape 4.8 saves a zero length file. Working your idea a bit further, the file received with Internet Explorer 6 is the exact size and content of the uncompressed original which says "magic" is taking place but I'm not sure it's client side magic because I expect the client side "magic" to work against all servers and that's not currently true. I get "magic" behavior with: https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92 and many other binary areas on CVS home but no "magic" with https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0 and no "magic" with http://jakarta.apache.org/site/binindex.cgi either. The current situation may or may not be a security breach and I don't feel qualified to make such a determination. All I can say for sure is that today it's not possible to download a binary file with it's corresponding PGP signature file and verify the authenticity of the binary file with PGP. The zero length signature files are one problem and the "magic" expansion of the compressed file also defeats the ability to verify authenticity. I recall in the past we could do so. PGP signature verification does work for the source tar balls today and the lack of consistency is what really troubles me. Something is wrong with the process that downloads binary files and their signature files but I can't tell you what is wrong. I can only report the symptoms. I do know it seems specific to the CVS Home binary file areas. In my opinion the lack of evidence in either direction other than my own is seriously retarding the effort to understand and remedy this issue or to know even if it rises to such a level. Can you try to replicate my tests and provide another set of data points? Am I the only Windows 2000 and Internet Explorer 6 person using CVS? If no, can someone please try replicating this issue and report results? > -Larry Jones Conrad -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBQfc8lLNM28ubzTo9EQKVKwCfR85jxwdZNA7q0dN6Cwa9HKwuC5QAn2Jw JaAyaNwwfMA2In7XPfywCat9 =ObpE -----END PGP SIGNATURE----- _______________________________________________ Info-cvs mailing list [email protected] http://lists.gnu.org/mailman/listinfo/info-cvs
