On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > Hiram Chirino wrote: >> >> So the responsibility is still on us, the upstream distributor, to >> verify the the checksums we list in our source distro are correct. >> But at least by doing this, down stream users of our source distros >> can rest assured that the dependencies that they are using are the >> correct ones. > > Not if there is a man in the middle attack. If you didn't notice the > recent noise w.r.t. DNS pollution, that's the very point of that vector. > Had it been exploited, tens of thousands of download users could have > been presented with inauthentic maven artifacts, complete with their > freshly corresponding checksums. Welcome to the internet.
Yes, but that kind of attack would only affect me if It's the first time I'm creating a dependency to that artifact. Further more, other existing users of the artifact would detect the artifact replacement, and act to get the problem corrected. I consider the checksum solution very similar to how SSH work in asking you to verify your initial connection to a host. It's not 100% secure, but in practical use, it's in the high 90s. :) -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
