openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <danie...@apache.org>
Subject Re: Proposal: Improve security by limiting committer access in SVN -- KEYS Compromise Exposure
Date Mon, 29 Apr 2013 22:58:23 GMT
Dennis E. Hamilton wrote on Mon, Apr 29, 2013 at 10:31:14 -0700:
>  5. This is sufficient to poison a download mirror site with
>  a counterfeit download so long as the ASC, SHA1, and MD5 locations
>  can also be spoofed without the user noticing.  

Right.  The normal answer here is "They will have to commit to the dist/
repository which will cause a post-commit mail which someone will
notice".  I'd be interested in hearing (on infra-dev@) how you break
this without assuming a mirror gets compromised (if _that_ happens,
it's game over for users who don't verify PGP sigs).

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message