1 |
Michael Orlitzky: |
2 |
> On 09/16/2014 10:03 AM, Rich Freeman wrote: |
3 |
>> |
4 |
>> The gpg signature is on the entire contents of the "commit." However, |
5 |
>> the contents of the commit do not include the files that are being |
6 |
>> committed - it includes hashes of the parent commit, the commit |
7 |
>> message, other headers, and the hash of the tree being committed, |
8 |
>> which is sha1. That last hash is the only thing that ties the commit |
9 |
>> to the files being committed, so you can modify the files all you like |
10 |
>> as long as the sha1 is the same. |
11 |
>> |
12 |
> |
13 |
> To put things in perspective, all I had to do was ask for commit access |
14 |
> and somebody eventually gave it to me. We should worry about this when |
15 |
> breaking SHA1 becomes less expensive than the ebuild quizzes. |
16 |
> |
17 |
> |
18 |
|
19 |
Yep, that's what I'd try to do actually if I was working for NSA |
20 |
(uh-oh). Try to get "collaborators" into every possible opensource project. |
21 |
|
22 |
There are so many thing you can do... e.g. "fix" a security bug, but |
23 |
reference a self-packaged tarball from your dev space (which still |
24 |
contains the exploit) in the ebuild. No one will know. |
25 |
And that's a pretty low hanging fruit. |