[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] GNU Arch review - am I accurate?
From: |
Andrew Suffield |
Subject: |
Re: [Gnu-arch-users] GNU Arch review - am I accurate? |
Date: |
Sun, 7 Mar 2004 18:28:42 +0000 |
User-agent: |
Mutt/1.5.5.1+cvs20040105i |
On Sun, Mar 07, 2004 at 12:22:59PM -0600, Charles Duffy wrote:
> On Thu, 2004-03-04 at 05:00, Andrew Suffield wrote:
> > On Wed, Mar 03, 2004 at 07:07:09AM +0000, David A. Wheeler wrote:
> > > The signatures sign the revision number as well as the change itself
> > > (they're both encoded in the signed tarball), so an attacker can't
> > > just change the patch order and can't silently remove a patch and
> > > renumber the later patches without detection. However, it appears to
> > > me that such signatures (at least as currently implemented) cannot
> > > detect the malicious substitution of whole signed patches (such as
> > > the silent replacement of a previous security fix with a non-fix),
> > > or removal of the "latest" fix before anyone else uses it.
> >
> > This problem is not specific to arch. It's a fundamental limitation of
> > cryptographic signatures. There is no way that you can ever tell
> > whether you are looking at the latest copy of the tree, or whether
> > you're looking at a snapshot that a hostile interloper took yesterday
> > and has substituted for the new one. I don't believe it is even
> > theoretically possible to solve this problem in any system that is
> > based on signatures.
>
> There are things that could be done about it, though: Signature
> chaining, for instance, would mean that substitution would have to be
> done not on a single revision alone but on all future revisions as well.
> Sure, it's not a complete solution, but it could well be better than
> nothing.
I don't believe this is an attack vector in the current system. You
can't insert an unsigned changeset in the middle of a sequence, or
remove a changeset, without tla noticing and stopping. All you can do
is stop adding *any* new changesets.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
signature.asc
Description: Digital signature
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, (continued)
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Robert Collins, 2004/03/06
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Dustin Sallings, 2004/03/06
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Jan Hudec, 2004/03/06
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Andrew Suffield, 2004/03/07
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Adrian Irving-Beer, 2004/03/07
- Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Brian May, 2004/03/08
- [Gnu-arch-users] Caching (was: GNU Arch review - am I accurate?), Stefan Monnier, 2004/03/10
- Re: [Gnu-arch-users] Caching (was: GNU Arch review - am I accurate?), Jan Hudec, 2004/03/14
- Re: [Gnu-arch-users] Caching (was: GNU Arch review - am I accurate?), Stefan Monnier, 2004/03/14
- Re: [Gnu-arch-users] Caching (was: GNU Arch review - am I accurate?), Jan Hudec, 2004/03/14
- [Gnu-arch-users] Re: Caching (was: GNU Arch review - am I accurate?), Stefan Monnier, 2004/03/15
- Re: [Gnu-arch-users] Re: Caching, Aaron Bentley, 2004/03/15
Re: [Gnu-arch-users] GNU Arch review - am I accurate?, Charles Duffy, 2004/03/08