[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.2.0-rc2 tarballs up for testing/signing

From: <kfogel_at_collab.net>
Date: 2005-04-22 19:33:45 CEST

Andrew Thompson <subversionuser@aktzero.com> writes:
> So you're assuming that the tarball you received is good, or you
> pulled and created your own tarball?
> If yes to the first part, isn't that a flawed scenario if an attacker
> got to it before you signed it?

News Flash: Perfect Security Impossible, details at 11.


Seriously. The signers confirm the checksums with the release manager
by phone or other private, difficult-to-compromise channels. Only
then do we sign the thing. If Ben Reser works for the NSA, then we're
all in trouble, but then again, how can you be sure your compiler
isn't compromised anyway?

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Apr 22 20:05:33 2005

This is an archived mail posted to the Subversion Dev mailing list.