| 1 |
Michael Orlitzky: |
| 2 |
> On 09/16/2014 10:03 AM, Rich Freeman wrote: |
| 3 |
>> |
| 4 |
>> The gpg signature is on the entire contents of the "commit." However, |
| 5 |
>> the contents of the commit do not include the files that are being |
| 6 |
>> committed - it includes hashes of the parent commit, the commit |
| 7 |
>> message, other headers, and the hash of the tree being committed, |
| 8 |
>> which is sha1. That last hash is the only thing that ties the commit |
| 9 |
>> to the files being committed, so you can modify the files all you like |
| 10 |
>> as long as the sha1 is the same. |
| 11 |
>> |
| 12 |
> |
| 13 |
> To put things in perspective, all I had to do was ask for commit access |
| 14 |
> and somebody eventually gave it to me. We should worry about this when |
| 15 |
> breaking SHA1 becomes less expensive than the ebuild quizzes. |
| 16 |
> |
| 17 |
> |
| 18 |
|
| 19 |
Yep, that's what I'd try to do actually if I was working for NSA |
| 20 |
(uh-oh). Try to get "collaborators" into every possible opensource project. |
| 21 |
|
| 22 |
There are so many thing you can do... e.g. "fix" a security bug, but |
| 23 |
reference a self-packaged tarball from your dev space (which still |
| 24 |
contains the exploit) in the ebuild. No one will know. |
| 25 |
And that's a pretty low hanging fruit. |
Archives