1 |
On Mon, Jun 4, 2012 at 12:19 PM, Dirkjan Ochtman <djc@g.o> wrote: |
2 |
> So to prevent your scenario, we'd |
3 |
> have to get everyone to check the signature of the tip of tree they |
4 |
> pulled before committing/merging. |
5 |
|
6 |
How can we be sure this has happened? |
7 |
|
8 |
This is the problem with signed manifests today. I can sign a |
9 |
manifest, but I didn't actually check all the files inside it, and the |
10 |
file might or might not have been signed before I modified it, and |
11 |
most likely I didn't even check the signature even if it was there. |
12 |
|
13 |
Anything we do has to be automated to be of any real value. Ideally |
14 |
if something goes wrong it should be as detectable as possible. |
15 |
|
16 |
Warts and all the current system hasn't broken down yet. However, if |
17 |
we ever did find out about an intrusion in our cvs repository, we'd |
18 |
essentially have to do a 100% code review to be sure it was OK, and |
19 |
that includes checking all tarballs on mirrors. |
20 |
|
21 |
With signed commits we could verify that the tree was intact, and if |
22 |
anything bad was found we could pinpoint exactly whose key was |
23 |
compromised and do a focused check on their commits. |
24 |
|
25 |
Rich |