Gentoo Archives: gentoo-scm

From: Mike Frysinger <vapier@g.o>
To: gentoo-scm@l.g.o
Subject: [gentoo-scm] thin manifests
Date: Thu, 25 Aug 2011 05:05:48
Message-Id: 201108250023.41079.vapier@gentoo.org
In Reply to: [gentoo-scm] Re: [gentoo-dev] Progress on cvs->git migration by "Robin H. Johnson"
On Monday, August 22, 2011 15:28:57 Robin H. Johnson wrote:
> Unresolved items: > - commit signing > - thin Manifests
how exactly are these two supposed to interact ? the previous discussion seemed to miss signing. if devs sign the thin manifests, when we go to produce the full manifest for rsync, we invalidate the signature. also, a previous assertion was made which i think is incorrect: Due to the distributed nature of git, to do mischief, you need to change every clone in the world to be successful each new sha1 comes from the previous state + new data. so injecting code into the tip and finding a collision is not impossible and does not require modification of anything before it. it would only be detected automatically by people who have the original commit, make new commits on top of that, and then attempt to push back again to the modified tree. i.e. the attack is made against the source Gentoo repo sitting on our machines. the other attack we want to prevent is MITM when people sync. in this case, someone who syncs over git:// is perpetually vulnerable with thin manifests as the attacker can keep recomputing the collisions so that the modified tree keeps ending up with the same digests as the public one. and the end user never notices without manually reviewing everything themselves. further, it was stated: This has nothing to do with strength of the hash used by git well, it sort of does. sha1 has been shown to be weaker than brute forcing, and while right now it might not be computationally feasible to inject useful code in realtime, that is not something we should be betting on. attacks only get better over time ... even in 2004 security conscious people started talking about migrating away from it. and now in 2012, we want to talk about migrating purely to it ? -mike

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-scm] thin manifests "Robin H. Johnson" <robbat2@g.o>