Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-scm
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-scm@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: gentoo-x86 on git - Manifests
Date: Thu, 19 Feb 2009 13:33:44 -0800
On Thu, Feb 19, 2009 at 10:47:33AM +0100, Robert Buchholz wrote:
> > Your count of needing to attack two boxes presently is wrong. Just
> > pick some community rsyncNN.CC.gentoo.org that also hosts distfiles
> > via HTTP/FTP, and attack that box, replacing both a Manifest and the
> > distfile.
> The rsync attack can be avoided by using the signed tree tarballs.
> The DIST hash attack can't.
Err, unless I'm missing something, the signed-tree stuff (as tarballs or
MetaManifest per my GLEPs) does prevent the DIST hash issue as well.
For a signed tree (where the Manifests and full tree contents are
verifiable), I don't see how you would subvert a distfile and NOT have
it detected (short of defeating the hash functions).

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
Attachment:
pgpvITLCGGqlv.pgp (PGP signature)
Replies:
Re: gentoo-x86 on git - Manifests
-- Robert Buchholz
References:
gentoo-x86 on git - Manifests
-- Maciej Mrozowski
Re: gentoo-x86 on git - Manifests
-- Robert Buchholz
Re: gentoo-x86 on git - Manifests
-- Robin H. Johnson
Re: gentoo-x86 on git - Manifests
-- Robert Buchholz
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: gentoo-x86 on git - Manifests
Next by thread:
Re: gentoo-x86 on git - Manifests
Previous by date:
Re: gentoo-x86 on git - Manifests
Next by date:
Re: gentoo-x86 on git - Manifests


Updated Jun 17, 2009

Summary: Archive of the gentoo-scm mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.