logging-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Grobmeier" <grobme...@gmail.com>
Subject Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
Date Thu, 21 Nov 2013 09:05:01 GMT
On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:

> On 2013-11-21, Christian Grobmeier wrote:
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>>> On 2013-11-21, Christian Grobmeier wrote:
>>>> One no blocker which I just saw: the KEYS file is included in the
>>>> dist. Shouldn't it be left out?
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file.  For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included oneā€¦ nitpickery!
>> Thanks for pushing out the release!
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains.  Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.

Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.


> Stefan


View raw message