On 2013-11-21, Christian Grobmeier wrote: > On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>> On 2013-11-21, Christian Grobmeier wrote: >>> One no blocker which I just saw: the KEYS file is included in the >>> dist. Shouldn't it be left out? >> I think we've always done it that way in log4net and I know Ant has been >> doing so since 2000 - what's wrong with it? > when somebody downloads it and opens the zip, it is tempting to > validate the package against the included KEYS file. But if somebody > could manipulate the content of the package, he also could manipulate > the KEYS file. For that reason the KEYS file should be on a different > location. This is the case, that's why I meant it's not critical. It > is on the other hand tempting to take the included oneā¦ nitpickery! > Thanks for pushing out the release! If this "somebody" downloaded the signature from the ASF and not from a mirror then the signature will not work if the zip has been modified, no matter which KEYS file it contains. Unless you think the attacker has modifie the signature, but then the KEYS file in the dist area would be as vulnerable as that. Stefan
