1 |
On Fri, Jun 8, 2012 at 7:01 AM, W. Trevor King <wking@×××××××.us> wrote: |
2 |
> When the breach is discovered, you can then isolate the dev (or devs) |
3 |
> who implicitly signed the hack (2) by pulling the ToT without checking |
4 |
> for a valid signature (3). Then you yell at them for sloppy security, |
5 |
> and tell them to install your signature-checking post-receive hook. |
6 |
|
7 |
Well, if devs are supposed to do this, we should probably write this |
8 |
down as a policy somewhere. Probably wouldn't hurt if the |
9 |
post-receive hook actually existed, and it was designed to only work |
10 |
on the official tree otherwise everybody will just uninstall it since |
11 |
people don't just pull from the official tree. |
12 |
|
13 |
I doubt any dev checks the signatures on manifest files before they |
14 |
overwrite them with a new signature. If they did it wouldn't matter |
15 |
since those signatures aren't even mandatory anyway. Certainly it |
16 |
isn't intuitive to me that when I perform a signature on changes I |
17 |
make that I'm also vouching for work committed by somebody else before |
18 |
me. |
19 |
|
20 |
Process can be as effective as technology in achieving security, but |
21 |
only if those processes are clear, and unintrusive enough to ensure |
22 |
they are followed. I wouldn't count on being able to yell at |
23 |
developers - first it does nothing to solve the mess that you'd be in |
24 |
at that point, and second you can only yell at volunteers so much. |
25 |
|
26 |
Rich |