[Justin Erenkrantz]
> On 02 Feb 2006 12:25:35 -0600, kfogel@collab.net <kfogel@collab.net> wrote:
> > If release X is blessed by sufficient signers, and then later
> > discovered to have a security flaw, then those who installed release X
> > need to upgrade to a new, different release with its own sigs. That's
> > true no matter what the names of the releases are.
>
> There would be no way to know that release X and Y are different if
> they both report themselves as the same version.
I think the Evil Hacker scenario is a strawman. I don't see anyone
reusing a version number when the difference is something as
interesting as a security fix. We're talking about rerolling a tarball
because something procedural was done wrong. (That should be rare in
any case, since the procedures should be pretty much scripted.) Not
actual code changes.
Received on Fri Feb 3 06:59:26 2006