| 1 |
On Thu, Aug 25, 2011 at 12:23:40AM -0400, Mike Frysinger wrote: |
| 2 |
> On Monday, August 22, 2011 15:28:57 Robin H. Johnson wrote: |
| 3 |
> > Unresolved items: |
| 4 |
> > - commit signing |
| 5 |
> > - thin Manifests |
| 6 |
> how exactly are these two supposed to interact ? the previous discussion |
| 7 |
> seemed to miss signing. if devs sign the thin manifests, when we go to |
| 8 |
> produce the full manifest for rsync, we invalidate the signature. |
| 9 |
Thin Manifests are not going to be explicitly signed like the current |
| 10 |
signatures. |
| 11 |
|
| 12 |
To summarize this better: |
| 13 |
1. Thin Manifests contain DIST lines, and _nothing_ else. |
| 14 |
1.1. Specifically: no signatures, and esp. not any other files that |
| 15 |
appear in Git. |
| 16 |
2. Commits (or pushes [1]) are signed going into Git. |
| 17 |
2.1. Non-signed commits/pushes are REJECTED by git-receive-pack on the |
| 18 |
server-side. |
| 19 |
3. Git->rsync build phase: |
| 20 |
3.1. Verify all commit signatures. |
| 21 |
3.2. Add metadata and other files. |
| 22 |
3.3. Build thick Manifests. |
| 23 |
3.4. Produce new signatures for Manifests. |
| 24 |
3.5. MetaManifest? |
| 25 |
|
| 26 |
> the other attack we want to prevent is MITM when people sync. in this case, |
| 27 |
> someone who syncs over git:// is perpetually vulnerable with thin manifests as |
| 28 |
> the attacker can keep recomputing the collisions so that the modified tree |
| 29 |
> keeps ending up with the same digests as the public one. and the end user |
| 30 |
> never notices without manually reviewing everything themselves. |
| 31 |
I don't follow this attack. The commits are signed, and the git:// user |
| 32 |
can verify them. |
| 33 |
|
| 34 |
> well, it sort of does. sha1 has been shown to be weaker than brute forcing, |
| 35 |
... |
| 36 |
> talking about migrating away from it. and now in 2012, we want to talk about |
| 37 |
> migrating purely to it ? |
| 38 |
RESO UPSTREAM(git). It looks like Git will probably migrate to whatever |
| 39 |
hash wins the SHA-3 contest. |
| 40 |
|
| 41 |
Footnotes: |
| 42 |
[1] Current state of commit signing, 2011/09/13 05:00 UTC |
| 43 |
There's a variation of commit signing presently being actively discussed |
| 44 |
on the Git mailing list. It's making a LOT more progress than previous |
| 45 |
signing discussions. Rather than signing blobs or commits directly, it's |
| 46 |
actually signing pushes (which include the SHA1's of commits and thus |
| 47 |
blobs). I'm personally concerned it's going to still be vulnerable to |
| 48 |
the collision/pre-image attacks, but it's much better than no signing |
| 49 |
(one of the attacks suggested against my SHA1-workaround signing was to |
| 50 |
subvert the note that my signature was being stored in). |
| 51 |
|
| 52 |
-- |
| 53 |
Robin Hugh Johnson |
| 54 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 55 |
E-Mail : robbat2@g.o |
| 56 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives