[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.2.0-rc2 tarballs up for testing/signing

From: <kfogel_at_collab.net>
Date: 2005-04-22 16:37:47 CEST

Ben Collins-Sussman <sussman@collab.net> writes:
> > Could someone explain to me the purpose of signatures when the sums
> > have been provided by the packager?
>
> "I, as a committer on the svn project, have hereby tested these
> tarballs and deem them suitable for release to the general public."

And more importantly:

   "I, as someone to whom you perhaps have a GPG/PGP trust path,
    certify that the tarball you are downloading is the same one I
    tested."

The point is that, with a sufficiently devious attacker, checksums can
be interfered with via a man-in-the-middle attack, but public-key
signatures cannot (or at least, it's *much* harder).

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Apr 22 17:07:58 2005

This is an archived mail posted to the Subversion Dev mailing list.