On 21 Nov 2013, at 9:56, Stefan Bodewig wrote: > On 2013-11-21, Christian Grobmeier wrote: > >> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote: > >>> On 2013-11-21, Christian Grobmeier wrote: > >>>> One no blocker which I just saw: the KEYS file is included in the >>>> dist. Shouldn't it be left out? > >>> I think we've always done it that way in log4net and I know Ant has been >>> doing so since 2000 - what's wrong with it? > >> when somebody downloads it and opens the zip, it is tempting to >> validate the package against the included KEYS file. But if somebody >> could manipulate the content of the package, he also could manipulate >> the KEYS file. For that reason the KEYS file should be on a different >> location. This is the case, that's why I meant it's not critical. It >> is on the other hand tempting to take the included oneā¦ nitpickery! >> Thanks for pushing out the release! > > If this "somebody" downloaded the signature from the ASF and not from a > mirror then the signature will not work if the zip has been modified, no > matter which KEYS file it contains. Unless you think the attacker has > modifie the signature, but then the KEYS file in the dist area would be > as vulnerable as that.
Good point. Not sure if this is actually a problem or not. When I have time I will ask one of the infra gurus. cheers Christian > > Stefan --- http://www.grobmeier.de @grobmeier GPG: 0xA5CC90DB
