[tz] leap-seconds.list format
Paul Eggert
eggert at cs.ucla.edu
Tue Feb 13 00:19:35 UTC 2024
On 2/11/24 13:45, brian.inglis--- via tz wrote:
> I was referring solely to the original IERS source files
> leap-seconds.{[0-9]{10,},list} and all we can do for now to validate
> them, using sha1 and eyeball.
If I understand this correctly, the worry is that an attacker would
somehow convince us that a leap second would occur on (say) December 31,
2024 and talk us into installing a bogus leap-seconds.list file into the
development repository, and that we'd then generate a new TZDB release.
Such a release would contain a leap-seconds.list file that was signed by
us, but incorrect.
I'd place this low on the list of things to worry about. Although it'd
be better if the IERS signed their files, we publicize leap second
updates on the TZDB mailing list and it seems unlikely such an attack
would go unnoticed and unremarked upon before a TZDB release.
More information about the tz
mailing list