jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting" <jukka.zitt...@gmail.com>
Subject Re: How to verify Jackrabbit binaries
Date Tue, 22 Apr 2008 09:20:03 GMT

On Tue, Apr 22, 2008 at 11:27 AM, Thomas Mueller
<thomas.tom.mueller@gmail.com> wrote:
>  4) After uploading, a hacker replaced the files and checksums
>  [...]
>  Item 4: Download mirrors could cross-check each other. Are they doing
>  that? Another idea is to set up a daemon somewhere that downloads
>  Jackrabbit from time to time and compares against the initial set of
>  files (and sends a mail if there is a problem). Is there a service
>  somewhere that does that?

That's why the download pages point people to get the checksums from
www.apache.org instead of one of the mirrors. A hacker would need to
compromise www.apache.org to break the checksums. And even then the
attacker couldn't fake the GPG signatures bound to the Apache web of

I'd be more concerned about 3 (or other attacks targetting the RM) as
a potential attack vector against our users, but frankly I think the
risk for that is insignificant.


Jukka Zitting

View raw message