Gentoo Archives: gentoo-scm

From: Robert Buchholz <rbu@g.o>
To: gentoo-scm@l.g.o
Cc: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: [gentoo-scm] gentoo-x86 on git - Manifests
Date: Fri, 20 Feb 2009 10:04:29
In Reply to: Re: [gentoo-scm] gentoo-x86 on git - Manifests by "Robin H. Johnson"
On Thursday 19 February 2009, Robin H. Johnson wrote:
> On Thu, Feb 19, 2009 at 10:47:33AM +0100, Robert Buchholz wrote: > > > Your count of needing to attack two boxes presently is wrong. > > > Just pick some community that also hosts > > > distfiles via HTTP/FTP, and attack that box, replacing both a > > > Manifest and the distfile. > > > > The rsync attack can be avoided by using the signed tree tarballs. > > The DIST hash attack can't. > > Err, unless I'm missing something, the signed-tree stuff (as tarballs > or MetaManifest per my GLEPs) does prevent the DIST hash issue as > well. For a signed tree (where the Manifests and full tree contents > are verifiable), I don't see how you would subvert a distfile and NOT > have it detected (short of defeating the hash functions).
Maybe I should have been clearer. By the "DIST hash attack" I meant an attack on the original location of the distfile where you would need to run a man-in-the-middle attack on the developer and either the distfiles master or the user downloading the file. That's why I said right now you need to attack two boxes, and by removing DIST entries from Manifest this would be reduced to one. Robert


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-scm] gentoo-x86 on git - Manifests "Robin H. Johnson" <robbat2@g.o>