Re: 1.2.0-rc2 tarballs up for testing/signing

From: <kfogel_at_collab.net>
Date: 2005-04-22 19:33:45 CEST

Andrew Thompson <subversionuser@aktzero.com> writes:
> So you're assuming that the tarball you received is good, or you
> pulled and created your own tarball?
>
> If yes to the first part, isn't that a flawed scenario if an attacker
> got to it before you signed it?

News Flash: Perfect Security Impossible, details at 11.

:-)

Seriously. The signers confirm the checksums with the release manager
by phone or other private, difficult-to-compromise channels. Only
then do we sign the thing. If Ben Reser works for the NSA, then we're
all in trouble, but then again, how can you be sure your compiler
isn't compromised anyway?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Apr 22 20:05:33 2005

This message: [ Message body ]
Next message: kfogel_at_collab.net: "Re: svn update -N"
Previous message: VK Sameer: "Re: svn commit: r14381 - in trunk: subversion/tests/clients/cmdline"
In reply to: Andrew Thompson: "Re: 1.2.0-rc2 tarballs up for testing/signing"
Next in thread: Andrew Thompson: "Re: 1.2.0-rc2 tarballs up for testing/signing"
Reply: Andrew Thompson: "Re: 1.2.0-rc2 tarballs up for testing/signing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]