| 1 |
On 2014-09-16 14:40, hasufell wrote: |
| 2 |
> Michael Orlitzky: |
| 3 |
> > To put things in perspective, all I had to do was ask for commit access |
| 4 |
> > and somebody eventually gave it to me. We should worry about this when |
| 5 |
> > breaking SHA1 becomes less expensive than the ebuild quizzes. |
| 6 |
> |
| 7 |
> Yep, that's what I'd try to do actually if I was working for NSA |
| 8 |
> (uh-oh). Try to get "collaborators" into every possible opensource project. |
| 9 |
> |
| 10 |
> There are so many thing you can do... e.g. "fix" a security bug, but |
| 11 |
> reference a self-packaged tarball from your dev space (which still |
| 12 |
> contains the exploit) in the ebuild. No one will know. |
| 13 |
> And that's a pretty low hanging fruit. |
| 14 |
> |
| 15 |
|
| 16 |
This is what's been driving me batty. None of you verified my identity |
| 17 |
before letting me be an official Gentoo Developer. Yet I have access to |
| 18 |
the repo. All I had to do was complete the quizzes. |
| 19 |
|
| 20 |
The real concern is restricting access to the master repository. If the |
| 21 |
attacker has gained access, either by becoming a developer or some other |
| 22 |
means, then we're only kind inconvenienced a little. We have to take the |
| 23 |
system down for a bit, fix the problem, and replace the repo with a |
| 24 |
trusted source or just roll it back to the last known good commit before |
| 25 |
the good commit was made. |
| 26 |
|
| 27 |
When Linus has talked about Git using SHA-1, the impression I got was |
| 28 |
that it isn't a means of preventing attacks, but ensuring corruption |
| 29 |
hasn't happened. When he talked about an attack to the kernel |
| 30 |
repository, it was with BitKeeper, which used a much weaker hash, and |
| 31 |
still thwarted an attack. |
| 32 |
|
| 33 |
I also like what Pro Git has to say: |
| 34 |
http://git-scm.com/book/ch6-1.html#A-SHORT-NOTE-ABOUT-SHA-1 |
| 35 |
|
| 36 |
It doesn't mention SHA-1 as a security feature, but that collissions are |
| 37 |
effectively not a concern. Instead, we should be more concerned about us |
| 38 |
all being dragged off into the night by wolves. Simultaneously. |
| 39 |
|
| 40 |
Git hasn't promised to be secure against attacks. Just secure against |
| 41 |
corruption. Two different things. |
| 42 |
|
| 43 |
-- |
| 44 |
Mr. Aaron W. Swenson |
| 45 |
Gentoo Linux Developer |
| 46 |
PostgreSQL Herd Bull |
| 47 |
Email : titanofold@g.o |
| 48 |
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 |
| 49 |
GnuPG ID : D1BBFDA0 |
Archives