Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)

2013-11-21 Thread Christian Grobmeier
On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:

> On 2013-11-21, Christian Grobmeier wrote:
>
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>
>>> On 2013-11-21, Christian Grobmeier wrote:
>
 One no blocker which I just saw: the KEYS file is included in the
 dist. Shouldn't it be left out?
>
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file.  For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included one… nitpickery!
>> Thanks for pushing out the release!
>
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains.  Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.

Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.

cheers
Christian

>
> Stefan


---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB


KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)

2013-11-21 Thread Stefan Bodewig
On 2013-11-21, Christian Grobmeier wrote:

> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:

>> On 2013-11-21, Christian Grobmeier wrote:

>>> One no blocker which I just saw: the KEYS file is included in the
>>> dist. Shouldn't it be left out?

>> I think we've always done it that way in log4net and I know Ant has been
>> doing so since 2000 - what's wrong with it?

> when somebody downloads it and opens the zip, it is tempting to
> validate the package against the included KEYS file. But if somebody
> could manipulate the content of the package, he also could manipulate
> the KEYS file.  For that reason the KEYS file should be on a different
> location. This is the case, that's why I meant it's not critical. It
> is on the other hand tempting to take the included one… nitpickery!
> Thanks for pushing out the release!

If this "somebody" downloaded the signature from the ASF and not from a
mirror then the signature will not work if the zip has been modified, no
matter which KEYS file it contains.  Unless you think the attacker has
modifie the signature, but then the KEYS file in the dist area would be
as vulnerable as that.

Stefan