On Saturday, March 29, 2025 1:52:15 PM Pacific Daylight Time Fred Wright via devel wrote: > How many people care about signatures *and* don't trust the ntpsec > signature *and* worry about the waf signature?
None, Probably. I'm trying to look beyond the shallow for once. > It seems to me that that issue could be adequately addressed by including > a comment in the preamble documenting the change. Then someone who > actually cares about the issue could: > > 1) Download the official waf. > > 2) Check the signature of the official waf. > > 3) Diff the ntpsec waf against the official waf. > > This ought to be sufficient to verify that waf isn't suffering from "xz > disease" (assuming that the tools used in steps 1-3 aren't compromised). > > MR available upon request. Pass; as an alternative, I would drop the exposition in a subsection in INSTALL.adoc; removing only the one byte, leaving the newly incorrect signature intact. Then commit that pottage. Anyone who wanted to check the signature could then: 1. Grab the check script and public key from waf.io 2. import key using gpg. 3. run the check script and get a "BAD signature". 4. Use `sed -rn "1s/n$/n3/" -i waf` to restore the original shebang. 5. Rerun the check script to get a good signature from an untrusted key. The significant advantage is that it will work now despite the next micro version being out. Time marches on, but I see no reason to upgrade, yet. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
