Re: Security flaw caused by RC sigs [was: Release policy question]

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2006-02-03 02:56:48 CET

On Thu, 2006-02-02 at 14:45 -0800, Christian Stork wrote:
> > If we've reused the version number from a testing tarball, that would be
> > a problem, but we've never considered reusing a version number because
> > of a security flaw, only because of a packaging failure which caused
> > build problems or the like. There is no security issue with
> > substituting such a broken x.y.0 tarball for the real one.
>
> OK, that makes sense then wrt to the testing tarballs (and should be
> enshrined in the release policiy!).
>
> But what's the point of the RC signatures then? For secure communication
> among the developers?? Or are you just "practicing" the release process?

I don't understand why what I said applies any differently to -rc
releases than to regular ones.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Feb 3 02:58:12 2006

This message: [ Message body ]
Next message: Christian Stork: "Re: Security flaw caused by RC sigs [was: Release policy question]"
Previous message: David James: "Ruby bindings crashes with SWIG 1.3.28"
In reply to: Christian Stork: "Re: Security flaw caused by RC sigs [was: Release policy question]"
Next in thread: Christian Stork: "Re: Security flaw caused by RC sigs [was: Release policy question]"
Reply: Christian Stork: "Re: Security flaw caused by RC sigs [was: Release policy question]"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]