On Fri, Jun 8, 2012 at 7:01 AM, W. Trevor King <wking@...> wrote:
> When the breach is discovered, you can then isolate the dev (or devs)
> who implicitly signed the hack (2) by pulling the ToT without checking
> for a valid signature (3). Then you yell at them for sloppy security,
> and tell them to install your signature-checking post-receive hook.
Well, if devs are supposed to do this, we should probably write this
down as a policy somewhere. Probably wouldn't hurt if the
post-receive hook actually existed, and it was designed to only work
on the official tree otherwise everybody will just uninstall it since
people don't just pull from the official tree.
I doubt any dev checks the signatures on manifest files before they
overwrite them with a new signature. If they did it wouldn't matter
since those signatures aren't even mandatory anyway. Certainly it
isn't intuitive to me that when I perform a signature on changes I
make that I'm also vouching for work committed by somebody else before
Process can be as effective as technology in achieving security, but
only if those processes are clear, and unintrusive enough to ensure
they are followed. I wouldn't count on being able to yell at
developers - first it does nothing to solve the mess that you'd be in
at that point, and second you can only yell at volunteers so much.