Ramon,
You can validate the officialness of a binary the same way every other
non-.net system does it, via the MD5 or pgp signature of the official release.
IIRC, there were two reasons behind still needing the signed release, first,
some companies _require_ that the software be signed, doesn't matter by whom,
but it must be signed. And the second reason was that you can't put it in the
GAC if it's not signed so it you want a copy in the GAC then you have to be
able to sign it. By keeping both the old and new keys active you can stay with
the totally-official signed copy if you want, and you can get a little more
flexibility if you want. Choice is yours.
-Walden
--
Walden H Leverich III
Tech Software
BEC - IRBManager
(516) 627-3800 x3051
wald...@techsoftinc.commailto:wald...@techsoftinc.com
http://www.TechSoftInc.comhttp://www.techsoftinc.com/
http://www.IRBManager.comhttp://www.irbmanager.com/
Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
From: Ramon Smits [mailto:ramon.sm...@gmail.com]
Sent: Friday, December 23, 2011 3:49 AM
To: log4net-dev@logging.apache.org
Subject: Old / new key flaw
What is it with this old/new key?
http://logging.apache.org/log4net/download_log4net.cgi
I can share some thought about this new key philosophy regarding they anyone
should be able to patch it but I think it is wrong. How can I validate a
package from untrusted sources if they have access to the 'official' private
key ?
If anyone needs strong named assemblies then that is for reasons. If they want
to have a patchable log4net then they should compile their own version with
their own key.
For example, somebody has created a log4net nuget :
http://nuget.org/packages/log4net
How can I validate if this is an official binary? It could do al sorts of stuff
if everybody can just recompile it and put it on such a big site as
nuget.orghttp://nuget.org
This is just bad and my guess is that if the official release is not the old
key that you just killed log4net as nobody wants to recompile all their
dependancies.
And still, if you want to move to a new 'public' key pair (which as I mentioned
is a bad bad bad thing) then dont create an official 'old' key binary.
--
Ramon