-Original Message-
> > From: Daniel Shahaf [mailto:danie...@apache.org]
> > Sent: Monday, April 29, 2013 15:58
> > To: Dennis E. Hamilton
> > Cc: dev@openoffice.apache.org; pesce...@apache.org
> > Subject: Re: Proposal: Improve security by limiting committer access
.@apache.org]
> Sent: Monday, April 29, 2013 15:58
> To: Dennis E. Hamilton
> Cc: dev@openoffice.apache.org; pesce...@apache.org
> Subject: Re: Proposal: Improve security by limiting committer access in SVN
> -- KEYS Compromise Exposure
>
> Dennis E. Hamilton wrote on Mon,
sage-
> From: Daniel Shahaf [mailto:danie...@apache.org]
> Sent: Monday, April 29, 2013 15:58
> To: Dennis E. Hamilton
> Cc: dev@openoffice.apache.org; pesce...@apache.org
> Subject: Re: Proposal: Improve security by limiting committer access in SVN
> -- KEYS Compromise Exposu
ssage-
From: Daniel Shahaf [mailto:danie...@apache.org]
Sent: Monday, April 29, 2013 15:58
To: Dennis E. Hamilton
Cc: dev@openoffice.apache.org; pesce...@apache.org
Subject: Re: Proposal: Improve security by limiting committer access in SVN --
KEYS Compromise Exposure
Dennis E. Hamilton wrote
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
> 5. This is sufficient to poison a download mirror site with
> a counterfeit download so long as the ASC, SHA1, and MD5 locations
> can also be spoofed without the user noticing.
Right. The normal answer here is "They will hav
Today, I did some digging around with respect to a different project and I
noticed a vulnerability that had not been discussed:
1. Assume that the credentials of an Apache OpenOffice Committer are
compromised (or the committer goes rogue).
2. This allows the compromised/rogue credentials to be