1 |
On Thu, Feb 19, 2009 at 10:47:33AM +0100, Robert Buchholz wrote: |
2 |
> > Your count of needing to attack two boxes presently is wrong. Just |
3 |
> > pick some community rsyncNN.CC.gentoo.org that also hosts distfiles |
4 |
> > via HTTP/FTP, and attack that box, replacing both a Manifest and the |
5 |
> > distfile. |
6 |
> The rsync attack can be avoided by using the signed tree tarballs. |
7 |
> The DIST hash attack can't. |
8 |
Err, unless I'm missing something, the signed-tree stuff (as tarballs or |
9 |
MetaManifest per my GLEPs) does prevent the DIST hash issue as well. |
10 |
For a signed tree (where the Manifests and full tree contents are |
11 |
verifiable), I don't see how you would subvert a distfile and NOT have |
12 |
it detected (short of defeating the hash functions). |
13 |
|
14 |
-- |
15 |
Robin Hugh Johnson |
16 |
Gentoo Linux Developer & Infra Guy |
17 |
E-Mail : robbat2@g.o |
18 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |