commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Re: [all] releases
Date Wed, 23 Apr 2008 08:36:41 GMT
Torsten Curdt schrieb:
>> Risks are mitigated to an arguably acceptable level by wrappering the
>> entire release process at Apache around the point to point secure
>> transport guarantee that signing is meant to provide.
> That holds only true if you don't use mirrors and people get the
> releases directly from us.
>> I am generally hesitant to introduce any more overhead for folks to
>> step up to RM'ing releases than is strictly necessary, given that this
>> community needs a lot more of 'em.
> I agree ...but as said. I am happy to step up and just do the signing
> if that really is the bottleneck.
>> The amount of security rigor applied that would cause an unsigned key
>> to be a blocking factor for signing releases would probably also
>> discount the above from being acceptable.
> Why is that? I cannot follow that argument
>> As one data point of the operational reality, there were several
>> artifacts released using my key which was unsigned for years until a
>> little over a week ago.
> Not good. But now that your key is signed it retroactively validates
> the releases. Actually with all the release nitpicking we do I am
> surprised this hasn't been brought up - or got ignored ;)
> Frankly speaking I think the signing is the least blocking part in our
> release process. We have enough PMC members that have a cross signed key.

What is the possible attack here? The keys are not mirrored, so anyone
who actually double-checks the signature on something they download will
be fetching the key direct from the apache server. If an attacker can
replace the binary, the signature will not match any of the keys we
publish. If the attacker can replace the keys file on the main apache
server, then we have some very serious problems.

I guess in this worst case (main apache server hacked, keys file
replaced) a paraniod downloader who already has downloaded
double-checked keys of a wide range of other apache committers could see
that the hacker's key is not cross-signed and so might notice that the
hacker's key they fetched from the apache server has not been
cross-signed by anyone they already know. But that's NSA-level paranoia...

I've done several releases with my key, which has never been
cross-signed by anyone.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message