incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Lohmaier <>
Subject Re: Shutdown of the "" host and its Mirrorbrain instance
Date Tue, 25 Oct 2011 18:58:23 GMT
Hi Robert, *,

On Tue, Oct 25, 2011 at 5:05 PM, Robert Burrell Donkin
<> wrote:
> On Tue, Oct 25, 2011 at 1:38 PM, Christian Lohmaier
> <> wrote:
>> On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin
>> <> wrote:
>>> On Tue, Oct 25, 2011 at 12:36 PM, Christian Lohmaier
>>> <> wrote:
>>>> [...]
>>> Better to download the signature over HTTPS but yes, I see no reason
>>> why this approach could not be made to work
>> With signature I meant a real signature (gpg signature), not a md5sum
>> or sha1sum file.
>> When it is a cryptographic signature, it doesn't matter how you
>> download it, as it cannot be faked.
>> (of course the user has to get the proper key, but that's a different issue)
> FWIW it's a defense in depth measure[1]
> [1] Consider an attacker with some ability to fabricate convincing
> signatures.

Define "convincing signatures". If anyone were to be able to create
convincing gpg singatures of Apache releases, then this...

> Downloading the signature from a trusted server means that
> such an attacker would need to replace an existing signature on secure
> hardware without detection.

is moot anyway, the lesser problem to be concerned about. And this
btw. is not any different than to download the torrent via https.

>> So it is not a matter of infrastructure, but a matter of policy.
> Where's the URL for this policy?

I didn't mean to imply there was a set-in-stone policy already. What I
meant was that it is up to the project to decide whether torrents are
used or not, that the technical implementation of using torrents is so
simple that apache infrastructure is not needed at all. You want
torrents, you got torrents. You don't want them, you just don't use

(Of course I don't know whether Apache as a whole has a written policy
or guidelines wrt. using torrents, but I don't think there is one)


View raw message