On Thu, Oct 11, 2012 at 9:01 AM, Nick Kew <[email protected]> wrote: > > You have to extend that assumption not only to our infrastructure but to > every proxy that might come between us and a user, and that might > substitute a trojan along with the trojan's own SHA1. >
The same reasoning holds for the .asc file. A MITM attack might involve a mirror replacing the release artefact, along with the .md5, .sha, and .asc files. If the user is only verifying against those files, then everything might look kushti. (Assuming they skip the step where they're supposed to import the KEYS file, or assuming someone replaced that too.) Which is why we link to the .md5, .sha, .asc, and KEYS files on our severs. Unless you're assuming a MITM along the request/response path to apache.org, in which case all bets are off anyway. No? -- NS
