On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:
> On 2013-11-21, Christian Grobmeier wrote:
>
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>
>>> On 2013-11-21, Christian Grobmeier wrote:
>
One no blocker which I just saw: the KEYS file is included in the
dist. Shouldn't it be left out?
>
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file. For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included one… nitpickery!
>> Thanks for pushing out the release!
>
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains. Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.
Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.
cheers
Christian
>
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
