| 1 |
Ciaran McCreesh posted on Wed, 17 Sep 2014 12:36:16 +0100 as excerpted: |
| 2 |
|
| 3 |
> On Wed, 17 Sep 2014 07:21:08 -0400 Tim Boudreau <niftiness@×××××.com> |
| 4 |
> wrote: |
| 5 |
>> If someone wants to commit malicious code into Gentoo, they're far more |
| 6 |
>> likely to take the ugly but pragmatic approach of, say, forcing someone |
| 7 |
>> to commit malicious code at gunpoint and then shooting them, than to go |
| 8 |
>> to the vast effort it would take to come up with malicious code that |
| 9 |
>> conveniently has the same SHA-1 hash as an existing commit. |
| 10 |
> |
| 11 |
> ...or getting themselves recruited. Even easier. |
| 12 |
|
| 13 |
Getting recruited, involves at minimum "playing the gentoo game" for |
| 14 |
several months, learning some otherwise esoteric knowledge, working up a |
| 15 |
number of patches that are found useful, and otherwise in general gaining |
| 16 |
the trust of existing devs over a period of some months. |
| 17 |
|
| 18 |
The (arguably reasonable put potentially invalid?) assumption is that |
| 19 |
there's easier ways to do it, should someone feel it worth the trouble, |
| 20 |
so this hurdle is as high as is required. |
| 21 |
|
| 22 |
OTOH, Gunpoint commits and then disappearing the committer involves a few |
| 23 |
days max, and with devs around the world, one will likely even be |
| 24 |
accessible within a local or near-local jurisdiction. |
| 25 |
|
| 26 |
|
| 27 |
It's worth noting that even with air-tight gpg signing, what's validated |
| 28 |
is possession of the secret key, *NOT* the real identity of the signer, |
| 29 |
whatever key signing parties and key-holder ID verification may or may |
| 30 |
have occurred at some point in the past. |
| 31 |
|
| 32 |
And I think most will agree that an argument that penetrating the |
| 33 |
security of /some/ dev, any one of the ~250-ish out there, and getting a |
| 34 |
copy of their secret signing key, is likely to be *WELL* within the |
| 35 |
resources of someone with rather less resources than the NSA, and is |
| 36 |
likely to be FAR less trouble than EITHER the gunpoint commit or "playing |
| 37 |
the gentoo game for N months" scenarios. *THAT* is the one we have to |
| 38 |
worry about, as demonstrated by reason and recent history (the kernel.org |
| 39 |
hack a couple years ago, among others) both. |
| 40 |
|
| 41 |
-- |
| 42 |
Duncan - List replies preferred. No HTML msgs. |
| 43 |
"Every nonfree program has a lord, a master -- |
| 44 |
and if you use the program, he is your master." Richard Stallman |
Archives