Re: 1.2.0-rc2 tarballs up for testing/signing

From: Andrew Thompson <subversionuser_at_aktzero.com>
Date: 2005-04-22 19:00:12 CEST

Ben Collins-Sussman wrote:
>> Could someone explain to me the purpose of signatures when the sums
>> have been provided by the packager?
>
> "I, as a committer on the svn project, have hereby tested these tarballs
> and deem them suitable for release to the general public."

So you're assuming that the tarball you received is good, or you pulled
and created your own tarball?

If yes to the first part, isn't that a flawed scenario if an attacker
got to it before you signed it?

-- 
Andrew Thompson
http://aktzero.com/
Interested in a hosted SVN repository? Email me, let's talk...
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Fri Apr 22 19:01:00 2005

This message: [ Message body ]
Next message: Brian W. Fitzpatrick: "Re: Repository enumeration feature"
Previous message: Brian W. Fitzpatrick: "Re: Trailing / on --url causes spurious test failures"
In reply to: Ben Collins-Sussman: "Re: 1.2.0-rc2 tarballs up for testing/signing"
Next in thread: kfogel_at_collab.net: "Re: 1.2.0-rc2 tarballs up for testing/signing"
Reply: kfogel_at_collab.net: "Re: 1.2.0-rc2 tarballs up for testing/signing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]