1 |
Ciaran McCreesh posted on Wed, 17 Sep 2014 12:36:16 +0100 as excerpted: |
2 |
|
3 |
> On Wed, 17 Sep 2014 07:21:08 -0400 Tim Boudreau <niftiness@×××××.com> |
4 |
> wrote: |
5 |
>> If someone wants to commit malicious code into Gentoo, they're far more |
6 |
>> likely to take the ugly but pragmatic approach of, say, forcing someone |
7 |
>> to commit malicious code at gunpoint and then shooting them, than to go |
8 |
>> to the vast effort it would take to come up with malicious code that |
9 |
>> conveniently has the same SHA-1 hash as an existing commit. |
10 |
> |
11 |
> ...or getting themselves recruited. Even easier. |
12 |
|
13 |
Getting recruited, involves at minimum "playing the gentoo game" for |
14 |
several months, learning some otherwise esoteric knowledge, working up a |
15 |
number of patches that are found useful, and otherwise in general gaining |
16 |
the trust of existing devs over a period of some months. |
17 |
|
18 |
The (arguably reasonable put potentially invalid?) assumption is that |
19 |
there's easier ways to do it, should someone feel it worth the trouble, |
20 |
so this hurdle is as high as is required. |
21 |
|
22 |
OTOH, Gunpoint commits and then disappearing the committer involves a few |
23 |
days max, and with devs around the world, one will likely even be |
24 |
accessible within a local or near-local jurisdiction. |
25 |
|
26 |
|
27 |
It's worth noting that even with air-tight gpg signing, what's validated |
28 |
is possession of the secret key, *NOT* the real identity of the signer, |
29 |
whatever key signing parties and key-holder ID verification may or may |
30 |
have occurred at some point in the past. |
31 |
|
32 |
And I think most will agree that an argument that penetrating the |
33 |
security of /some/ dev, any one of the ~250-ish out there, and getting a |
34 |
copy of their secret signing key, is likely to be *WELL* within the |
35 |
resources of someone with rather less resources than the NSA, and is |
36 |
likely to be FAR less trouble than EITHER the gunpoint commit or "playing |
37 |
the gentoo game for N months" scenarios. *THAT* is the one we have to |
38 |
worry about, as demonstrated by reason and recent history (the kernel.org |
39 |
hack a couple years ago, among others) both. |
40 |
|
41 |
-- |
42 |
Duncan - List replies preferred. No HTML msgs. |
43 |
"Every nonfree program has a lord, a master -- |
44 |
and if you use the program, he is your master." Richard Stallman |