[taler-exchange] 01/02: update response

[gnunet]

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository exchange.

commit 4d298f9bea8a98acc5d4b7d738af02313b203658
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Sun Jul 12 10:22:35 2020 +0200

    update response
---
 doc/audit/response-202005.tex | 19 ++++++++++++-------
 doc/prebuilt                  |  2 +-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/doc/audit/response-202005.tex b/doc/audit/response-202005.tex
index b07e053e..5d90b4c7 100644
--- a/doc/audit/response-202005.tex
+++ b/doc/audit/response-202005.tex
@@ -15,9 +15,8 @@
 
 \section{Abstract}
 
-This is the preliminary response to the source code audit report CodeBlau
-created for GNU Taler in Q2/Q3 2020.  A final response with more details is
-expected later this year.
+This is the response to the source code audit report CodeBlau
+created for GNU Taler in Q2/Q3 2020. 
 
 \section{Management Summary}
 
@@ -44,10 +43,16 @@ We appreciate CodeBlau's extensive list of checks the Taler 
auditor performs,
 which was previously not documented adequately by us. We agree that the
 auditor still needs more comprehensive documentation.
 
-As for issue \#6416, we agree with the analysis and the proposed fix, even if
-the implications are not fully clear. It has not yet been implemented as we
-want to carefully review all of the SQL statements implicated in the
-resolution and ensure we fully understand the implications.
+As for issue \#6416, we agree with the analysis. However, the proposed fix
+of making the primary key include the denomination would create other problems,
+such as the exchange sometimes not having the denomination key (link, refund)
+and the code in various places relying on the assumption of the coin's
+public key being unique. Furthermore, allowing coin key re-use may validate
+a terrible practice. We thus decided it is better to ``fail early'', and
+modified the code to check that the coin public key is ``unique'' during
+deposit, refresh and recoup and ensured that the exchange returns a proof
+of non-uniqueness in case of a violation. The test suite was extended to
+cover the corner case.
 
 \section{Issues in GNUnet}
 
diff --git a/doc/prebuilt b/doc/prebuilt
index eef86710..ca53235c 160000
--- a/doc/prebuilt
+++ b/doc/prebuilt
@@ -1 +1 @@
-Subproject commit eef86710c7deade01361f8985fd9a6fe6a21e8ff
+Subproject commit ca53235ccfa0458ebf11c204888ca370e20ec3f5

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.