logging-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
Date Thu, 21 Nov 2013 08:56:39 GMT
On 2013-11-21, Christian Grobmeier wrote:

> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:

>> On 2013-11-21, Christian Grobmeier wrote:

>>> One no blocker which I just saw: the KEYS file is included in the
>>> dist. Shouldn't it be left out?

>> I think we've always done it that way in log4net and I know Ant has been
>> doing so since 2000 - what's wrong with it?

> when somebody downloads it and opens the zip, it is tempting to
> validate the package against the included KEYS file. But if somebody
> could manipulate the content of the package, he also could manipulate
> the KEYS file.  For that reason the KEYS file should be on a different
> location. This is the case, that's why I meant it's not critical. It
> is on the other hand tempting to take the included oneā€¦ nitpickery!
> Thanks for pushing out the release!

If this "somebody" downloaded the signature from the ASF and not from a
mirror then the signature will not work if the zip has been modified, no
matter which KEYS file it contains.  Unless you think the attacker has
modifie the signature, but then the KEYS file in the dist area would be
as vulnerable as that.

Stefan

Mime
View raw message