List Archive: gentoo-scm
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Thursday 19 February 2009, Robin H. Johnson wrote:
> On Thu, Feb 19, 2009 at 10:47:33AM +0100, Robert Buchholz wrote:
> > > Your count of needing to attack two boxes presently is wrong.
> > > Just pick some community rsyncNN.CC.gentoo.org that also hosts
> > > distfiles via HTTP/FTP, and attack that box, replacing both a
> > > Manifest and the distfile.
> > The rsync attack can be avoided by using the signed tree tarballs.
> > The DIST hash attack can't.
> Err, unless I'm missing something, the signed-tree stuff (as tarballs
> or MetaManifest per my GLEPs) does prevent the DIST hash issue as
> well. For a signed tree (where the Manifests and full tree contents
> are verifiable), I don't see how you would subvert a distfile and NOT
> have it detected (short of defeating the hash functions).
Maybe I should have been clearer. By the "DIST hash attack" I meant an
attack on the original location of the distfile where you would need to
run a man-in-the-middle attack on the developer and either the
distfiles master or the user downloading the file. That's why I said
right now you need to attack two boxes, and by removing DIST entries
from Manifest this would be reduced to one.
signature.asc (This is a digitally signed message part.)