Michael Orlitzky: > On 09/16/2014 10:03 AM, Rich Freeman wrote: >> >> The gpg signature is on the entire contents of the "commit." However, >> the contents of the commit do not include the files that are being >> committed - it includes hashes of the parent commit, the commit >> message, other headers, and the hash of the tree being committed, >> which is sha1. That last hash is the only thing that ties the commit >> to the files being committed, so you can modify the files all you like >> as long as the sha1 is the same. >> > > To put things in perspective, all I had to do was ask for commit access > and somebody eventually gave it to me. We should worry about this when > breaking SHA1 becomes less expensive than the ebuild quizzes. > >
Yep, that's what I'd try to do actually if I was working for NSA (uh-oh). Try to get "collaborators" into every possible opensource project. There are so many thing you can do... e.g. "fix" a security bug, but reference a self-packaged tarball from your dev space (which still contains the exploit) in the ebuild. No one will know. And that's a pretty low hanging fruit.
