[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security flaw caused by RC sigs [was: Release policy question]

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2006-02-03 02:56:48 CET

On Thu, 2006-02-02 at 14:45 -0800, Christian Stork wrote:
> > If we've reused the version number from a testing tarball, that would be
> > a problem, but we've never considered reusing a version number because
> > of a security flaw, only because of a packaging failure which caused
> > build problems or the like. There is no security issue with
> > substituting such a broken x.y.0 tarball for the real one.
>
> OK, that makes sense then wrt to the testing tarballs (and should be
> enshrined in the release policiy!).
>
> But what's the point of the RC signatures then? For secure communication
> among the developers?? Or are you just "practicing" the release process?

I don't understand why what I said applies any differently to -rc
releases than to regular ones.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Feb 3 02:58:12 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.