Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-scm
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-scm@g.o
From: Mike Frysinger <vapier@g.o>
Subject: thin manifests
Date: Thu, 25 Aug 2011 00:23:40 -0400
On Monday, August 22, 2011 15:28:57 Robin H. Johnson wrote:
> Unresolved items:
> - commit signing
> - thin Manifests

how exactly are these two supposed to interact ?  the previous discussion 
seemed to miss signing.  if devs sign the thin manifests, when we go to 
produce the full manifest for rsync, we invalidate the signature.

also, a previous assertion was made which i think is incorrect:
	Due to the distributed nature of git, to do mischief, you need to
	change every clone in the world to be successful
each new sha1 comes from the previous state + new data.  so injecting code 
into the tip and finding a collision is not impossible and does not require 
modification of anything before it.  it would only be detected automatically 
by people who have the original commit, make new commits on top of that, and 
then attempt to push back again to the modified tree.  i.e. the attack is made 
against the source Gentoo repo sitting on our machines.

the other attack we want to prevent is MITM when people sync.  in this case, 
someone who syncs over git:// is perpetually vulnerable with thin manifests as 
the attacker can keep recomputing the collisions so that the modified tree 
keeps ending up with the same digests as the public one.  and the end user 
never notices without manually reviewing everything themselves.

further, it was stated:
	This has nothing to do with strength of the hash used by git
well, it sort of does.  sha1 has been shown to be weaker than brute forcing, 
and while right now it might not be computationally feasible to inject useful 
code in realtime, that is not something we should be betting on.  attacks only 
get better over time ... even in 2004 security conscious people started 
talking about migrating away from it.  and now in 2012, we want to talk about 
migrating purely to it ?
-mike
Attachment:
signature.asc (This is a digitally signed message part.)
Replies:
Re: thin manifests
-- Robin H. Johnson
References:
Progress on cvs->git migration
-- Alexey Shvetsov
Re: [gentoo-dev] Progress on cvs->git migration
-- Robin H. Johnson
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Re: [gentoo-dev] Progress on cvs->git migration
Next by thread:
Re: thin manifests
Previous by date:
Re: Re: [gentoo-dev] Progress on cvs->git migration
Next by date:
Git gpg commit signing


Updated May 23, 2012

Summary: Archive of the gentoo-scm mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.