Anybody using the old waf?
Fred Wright
fw at fwright.net
Sun Mar 30 05:34:42 UTC 2025
On Sat, 29 Mar 2025, James Browning via devel wrote:
> On Saturday, March 29, 2025 1:52:15 PM Pacific Daylight Time Fred Wright via
> devel wrote:
>> How many people care about signatures *and* don't trust the ntpsec
>> signature *and* worry about the waf signature?
>
> None, Probably. I'm trying to look beyond the shallow for once.
>
>> It seems to me that that issue could be adequately addressed by including
>> a comment in the preamble documenting the change. Then someone who
>> actually cares about the issue could:
>>
>> 1) Download the official waf.
>>
>> 2) Check the signature of the official waf.
>>
>> 3) Diff the ntpsec waf against the official waf.
>>
>> This ought to be sufficient to verify that waf isn't suffering from "xz
>> disease" (assuming that the tools used in steps 1-3 aren't compromised).
>>
>> MR available upon request.
>
> Pass; as an alternative, I would drop the exposition in a subsection in
> INSTALL.adoc; removing only the one byte, leaving the newly incorrect
> signature intact. Then commit that pottage.
It looks like the addition was made to INSTALL.adoc, but without the
actual change to waf.
Fred Wright
More information about the devel
mailing list