[ANNOUNCE] bzr-svn 0.4.1
John Whitley
whitley at acm.org
Mon Aug 27 23:30:48 BST 2007
Jelmer Vernooij wrote:
> Adeodato Simó wrote:
>> Is there a compelling reason to sign the tar and not the tar.gz?
> Mainly a matter of habit: I do this so if I also distribute a .tar.bz2
> file, I only need one signature.
I would also like to see the tar.gz signed instead of the tar. Not
only is it more convenient, it's better practice to sign the entire
downloadable artifact (the .tar.gz) rather than a product of it
(the .tar).
For example, an attacker who knew about a vulnerability in g(un)zip
might be able to craft a .tar.gz that would execute shellcode on a
user's system before gpg --verify was even run.
-- John
More information about the bazaar
mailing list