Re: Security flaw caused by RC sigs [was: Release policy question]

On Thu, Feb 02, 2006 at 04:49:24PM -0500, Greg Hudson wrote:
> On Thu, 2006-02-02 at 12:45 -0800, Christian Stork wrote:
> > On Thu, Feb 02, 2006 at 12:25:35PM -0600, kfogel@collab.net wrote:
> > Evil Hacker doesn't! She installs x.y.0-rc1 under the name x.y.0 and
> > gives Good Company the sigs of the RC. Then Good Company verifies the
> > sigs using the public keys of some committers which it received at some
> > key signing party.

> The tarball does contain the version number inside, so Good Company will
> presumably notice that the tarball named x.y.0 actually contains
> x.y.0-rc1.

> If we've reused the version number from a testing tarball, that would be
> a problem, but we've never considered reusing a version number because
> of a security flaw, only because of a packaging failure which caused
> build problems or the like. There is no security issue with
> substituting such a broken x.y.0 tarball for the real one.

OK, that makes sense then wrt to the testing tarballs (and should be
enshrined in the release policiy!).

But what's the point of the RC signatures then? For secure communication
among the developers?? Or are you just "practicing" the release process?

-- 
Chris Stork   <>  Support eff.org!  <>   http://www.ics.uci.edu/~cstork/
OpenPGP fingerprint:  B08B 602C C806 C492 D069  021E 41F3 8C8D 50F9 CA2F
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org