Christian Stork <cstork@ics.uci.edu> writes:
> Hmm, then you guys might have a problem:
>
> - svn x.y.0rc1 was signed by all relevant people but not released due to
> a security flaw discovered in the last minute.
> - svn x.y.0 released without security flaw.
>
> Evil Hacker can now reuse the x.y.0rc1 sigs to make Good Company believe
> it installed svn x.y.0 even though they installed the flawed x.y.0rc1
> but they feel secure since they checked all relevant sigs.
>
> This would be a sort of replay attack, I guess.
This is unrelated to our numbering strategy.
If release X is blessed by sufficient signers, and then later
discovered to have a security flaw, then those who installed release X
need to upgrade to a new, different release with its own sigs. That's
true no matter what the names of the releases are.
I don't understand exactly what Evil Hacker would do to make Good
Company believe that the x.y.0-rc1 sigs apply to x.y.0. The two
tarballs are different, so the sigs will be different.
?
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Feb 2 21:05:57 2006