1 |
On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote: |
2 |
> Hi all! |
3 |
> |
4 |
> Seems rsbac alive again and its people created a repo with git gpg |
5 |
> related things [1] |
6 |
> |
7 |
> [1] http://git.rsbac.org/cgi-bin/gitweb.cgi?p=git-gpg.git;a=summary |
8 |
What this does provide, despite the vulnerability I noted in the other |
9 |
email, is a good framework for handling the signatures. |
10 |
|
11 |
To defeat the attack I mentioned before, the signatures need to cover: |
12 |
1. git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)' |
13 |
2. git diff-tree --no-commit-id -r --raw $commitid |
14 |
2.1. Grab all of the blobid's from the 4th column. |
15 |
3. "git show $blobid" for each blobid from #2.1 |
16 |
|
17 |
-- |
18 |
Robin Hugh Johnson |
19 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
20 |
E-Mail : robbat2@g.o |
21 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |