1 |
On 21 September 2014 09:01, hasufell <hasufell@g.o> wrote: |
2 |
|
3 |
> Because there are other VCSs it is not a bug?? |
4 |
> |
5 |
> |
6 |
No, it just means "using SHA1 for making a repository work" is not a bug, |
7 |
just like using "i am number 6, parent is number 5" is not a "security" bug. |
8 |
|
9 |
|
10 |
> Of course it is a bug since it is in the gpg-signing chain and to use it |
11 |
> in a practical way is very unlikely. |
12 |
> |
13 |
> |
14 |
Its only a bug in that we're intending to use it for something it was not |
15 |
designed for. SHA1s are not a security mechanism for Git. |
16 |
|
17 |
GPGs are not entirely useless there, just we're taking more meaning from it |
18 |
than it really supports. |
19 |
|
20 |
I literally read GPG as being no more evidence than proof that, "yes, I |
21 |
wrote that commit message, and I wrote that commit". It doesn't prove you |
22 |
made any of those dependencies ( because some of those dependencies is gits |
23 |
entire history of commits down the parent -> parent -> parent line ) |
24 |
|
25 |
|
26 |
> So you are suggesting to not migrate at all or severely break the |
27 |
> workflow because someone might forge _working code_ with a specific |
28 |
> SHA1? There is no efficient algorithm for that afaik, those are just |
29 |
> about finding _any_ collision and even then it takes considerable |
30 |
> resources that can be used to break gentoo in much easier ways. |
31 |
> |
32 |
|
33 |
He is proposing quite the opposite. He's saying "git is not secure in this |
34 |
way, but lets not let that stop us, migrate and fix that after the fact or |
35 |
we'll never get around to it, because all this debate is the perfect being |
36 |
the enemy of the good". |
37 |
|
38 |
Git is still more than adequately secure without GPG to defend against a |
39 |
whole bunch of attacks you'd need NSA grade stuff to attack as it is, and |
40 |
GPG on the commits themselves basically rules out the easiest place |
41 |
somebody *could* get things in without a GPG. |
42 |
|
43 |
That is to say: without gpg, you can just create some random commit with |
44 |
some arbitrary content and push it somewhere, and you can pretend you're a |
45 |
gentoo dev and pretend you're writing commits as them. |
46 |
|
47 |
GPG sufficiently prevents that from happening, and takes it from ameteur |
48 |
grade imposter requirements to NSA grade imposter requirements. And that's |
49 |
not a bad compromise for being imperfect. |
50 |
|
51 |
|
52 |
-- |
53 |
Kent |
54 |
|
55 |
*KENTNL* - https://metacpan.org/author/KENTNL |