Gentoo Archives: gentoo-scm

From: Robert Buchholz <rbu@g.o>
To: gentoo-scm@l.g.o
Cc: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: [gentoo-scm] gentoo-x86 on git - Manifests
Date: Fri, 20 Feb 2009 10:04:29
Message-Id: 200902201104.26526.rbu@gentoo.org
In Reply to: Re: [gentoo-scm] gentoo-x86 on git - Manifests by "Robin H. Johnson"
1 On Thursday 19 February 2009, Robin H. Johnson wrote:
2 > On Thu, Feb 19, 2009 at 10:47:33AM +0100, Robert Buchholz wrote:
3 > > > Your count of needing to attack two boxes presently is wrong.
4 > > > Just pick some community rsyncNN.CC.gentoo.org that also hosts
5 > > > distfiles via HTTP/FTP, and attack that box, replacing both a
6 > > > Manifest and the distfile.
7 > >
8 > > The rsync attack can be avoided by using the signed tree tarballs.
9 > > The DIST hash attack can't.
10 >
11 > Err, unless I'm missing something, the signed-tree stuff (as tarballs
12 > or MetaManifest per my GLEPs) does prevent the DIST hash issue as
13 > well. For a signed tree (where the Manifests and full tree contents
14 > are verifiable), I don't see how you would subvert a distfile and NOT
15 > have it detected (short of defeating the hash functions).
16
17 Maybe I should have been clearer. By the "DIST hash attack" I meant an
18 attack on the original location of the distfile where you would need to
19 run a man-in-the-middle attack on the developer and either the
20 distfiles master or the user downloading the file. That's why I said
21 right now you need to attack two boxes, and by removing DIST entries
22 from Manifest this would be reduced to one.
23
24
25 Robert

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-scm] gentoo-x86 on git - Manifests "Robin H. Johnson" <robbat2@g.o>