1 |
On 2014-09-16 14:40, hasufell wrote: |
2 |
> Michael Orlitzky: |
3 |
> > To put things in perspective, all I had to do was ask for commit access |
4 |
> > and somebody eventually gave it to me. We should worry about this when |
5 |
> > breaking SHA1 becomes less expensive than the ebuild quizzes. |
6 |
> |
7 |
> Yep, that's what I'd try to do actually if I was working for NSA |
8 |
> (uh-oh). Try to get "collaborators" into every possible opensource project. |
9 |
> |
10 |
> There are so many thing you can do... e.g. "fix" a security bug, but |
11 |
> reference a self-packaged tarball from your dev space (which still |
12 |
> contains the exploit) in the ebuild. No one will know. |
13 |
> And that's a pretty low hanging fruit. |
14 |
> |
15 |
|
16 |
This is what's been driving me batty. None of you verified my identity |
17 |
before letting me be an official Gentoo Developer. Yet I have access to |
18 |
the repo. All I had to do was complete the quizzes. |
19 |
|
20 |
The real concern is restricting access to the master repository. If the |
21 |
attacker has gained access, either by becoming a developer or some other |
22 |
means, then we're only kind inconvenienced a little. We have to take the |
23 |
system down for a bit, fix the problem, and replace the repo with a |
24 |
trusted source or just roll it back to the last known good commit before |
25 |
the good commit was made. |
26 |
|
27 |
When Linus has talked about Git using SHA-1, the impression I got was |
28 |
that it isn't a means of preventing attacks, but ensuring corruption |
29 |
hasn't happened. When he talked about an attack to the kernel |
30 |
repository, it was with BitKeeper, which used a much weaker hash, and |
31 |
still thwarted an attack. |
32 |
|
33 |
I also like what Pro Git has to say: |
34 |
http://git-scm.com/book/ch6-1.html#A-SHORT-NOTE-ABOUT-SHA-1 |
35 |
|
36 |
It doesn't mention SHA-1 as a security feature, but that collissions are |
37 |
effectively not a concern. Instead, we should be more concerned about us |
38 |
all being dragged off into the night by wolves. Simultaneously. |
39 |
|
40 |
Git hasn't promised to be secure against attacks. Just secure against |
41 |
corruption. Two different things. |
42 |
|
43 |
-- |
44 |
Mr. Aaron W. Swenson |
45 |
Gentoo Linux Developer |
46 |
PostgreSQL Herd Bull |
47 |
Email : titanofold@g.o |
48 |
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 |
49 |
GnuPG ID : D1BBFDA0 |