| 1 |
On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote: |
| 2 |
> Hi all! |
| 3 |
> |
| 4 |
> Seems rsbac alive again and its people created a repo with git gpg |
| 5 |
> related things [1] |
| 6 |
> |
| 7 |
> [1] http://git.rsbac.org/cgi-bin/gitweb.cgi?p=git-gpg.git;a=summary |
| 8 |
What this does provide, despite the vulnerability I noted in the other |
| 9 |
email, is a good framework for handling the signatures. |
| 10 |
|
| 11 |
To defeat the attack I mentioned before, the signatures need to cover: |
| 12 |
1. git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)' |
| 13 |
2. git diff-tree --no-commit-id -r --raw $commitid |
| 14 |
2.1. Grab all of the blobid's from the 4th column. |
| 15 |
3. "git show $blobid" for each blobid from #2.1 |
| 16 |
|
| 17 |
-- |
| 18 |
Robin Hugh Johnson |
| 19 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 20 |
E-Mail : robbat2@g.o |
| 21 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives