[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.2.0-rc2 tarballs up for testing/signing

From: Andrew Thompson <subversionuser_at_aktzero.com>
Date: 2005-04-22 19:00:12 CEST

Ben Collins-Sussman wrote:
>> Could someone explain to me the purpose of signatures when the sums
>> have been provided by the packager?
> "I, as a committer on the svn project, have hereby tested these tarballs
> and deem them suitable for release to the general public."

So you're assuming that the tarball you received is good, or you pulled
and created your own tarball?

If yes to the first part, isn't that a flawed scenario if an attacker
got to it before you signed it?

Andrew Thompson
Interested in a hosted SVN repository? Email me, let's talk...
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Apr 22 19:01:00 2005

This is an archived mail posted to the Subversion Dev mailing list.