Re: 1.2.0-rc2 tarballs up for testing/signing

From: <kfogel_at_collab.net>
Date: 2005-04-22 16:37:47 CEST

Ben Collins-Sussman <sussman@collab.net> writes:
> > Could someone explain to me the purpose of signatures when the sums
> > have been provided by the packager?
>
> "I, as a committer on the svn project, have hereby tested these
> tarballs and deem them suitable for release to the general public."

And more importantly:

   "I, as someone to whom you perhaps have a GPG/PGP trust path,
    certify that the tarball you are downloading is the same one I
    tested."

The point is that, with a sufficiently devious attacker, checksums can
be interfered with via a man-in-the-middle attack, but public-key
signatures cannot (or at least, it's *much* harder).

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Apr 22 17:07:58 2005

This message: [ Message body ]
Next message: kfogel_at_collab.net: "Re: svn update -N"
Previous message: kfogel_at_collab.net: "Re: [Issue 2224] "svn copy mydir mydir" recurses infinitely!"
In reply to: Ben Collins-Sussman: "Re: 1.2.0-rc2 tarballs up for testing/signing"
Next in thread: Andrew Thompson: "Re: 1.2.0-rc2 tarballs up for testing/signing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]