| 1 |
On Fri, Jun 8, 2012 at 7:01 AM, W. Trevor King <wking@×××××××.us> wrote: |
| 2 |
> When the breach is discovered, you can then isolate the dev (or devs) |
| 3 |
> who implicitly signed the hack (2) by pulling the ToT without checking |
| 4 |
> for a valid signature (3). Then you yell at them for sloppy security, |
| 5 |
> and tell them to install your signature-checking post-receive hook. |
| 6 |
|
| 7 |
Well, if devs are supposed to do this, we should probably write this |
| 8 |
down as a policy somewhere. Probably wouldn't hurt if the |
| 9 |
post-receive hook actually existed, and it was designed to only work |
| 10 |
on the official tree otherwise everybody will just uninstall it since |
| 11 |
people don't just pull from the official tree. |
| 12 |
|
| 13 |
I doubt any dev checks the signatures on manifest files before they |
| 14 |
overwrite them with a new signature. If they did it wouldn't matter |
| 15 |
since those signatures aren't even mandatory anyway. Certainly it |
| 16 |
isn't intuitive to me that when I perform a signature on changes I |
| 17 |
make that I'm also vouching for work committed by somebody else before |
| 18 |
me. |
| 19 |
|
| 20 |
Process can be as effective as technology in achieving security, but |
| 21 |
only if those processes are clear, and unintrusive enough to ensure |
| 22 |
they are followed. I wouldn't count on being able to yell at |
| 23 |
developers - first it does nothing to solve the mess that you'd be in |
| 24 |
at that point, and second you can only yell at volunteers so much. |
| 25 |
|
| 26 |
Rich |
Archives