On 2014-09-16 14:40, hasufell wrote: > Michael Orlitzky: > > To put things in perspective, all I had to do was ask for commit access > > and somebody eventually gave it to me. We should worry about this when > > breaking SHA1 becomes less expensive than the ebuild quizzes. > > Yep, that's what I'd try to do actually if I was working for NSA > (uh-oh). Try to get "collaborators" into every possible opensource project. > > There are so many thing you can do... e.g. "fix" a security bug, but > reference a self-packaged tarball from your dev space (which still > contains the exploit) in the ebuild. No one will know. > And that's a pretty low hanging fruit. >
This is what's been driving me batty. None of you verified my identity before letting me be an official Gentoo Developer. Yet I have access to the repo. All I had to do was complete the quizzes. The real concern is restricting access to the master repository. If the attacker has gained access, either by becoming a developer or some other means, then we're only kind inconvenienced a little. We have to take the system down for a bit, fix the problem, and replace the repo with a trusted source or just roll it back to the last known good commit before the good commit was made. When Linus has talked about Git using SHA-1, the impression I got was that it isn't a means of preventing attacks, but ensuring corruption hasn't happened. When he talked about an attack to the kernel repository, it was with BitKeeper, which used a much weaker hash, and still thwarted an attack. I also like what Pro Git has to say: http://git-scm.com/book/ch6-1.html#A-SHORT-NOTE-ABOUT-SHA-1 It doesn't mention SHA-1 as a security feature, but that collissions are effectively not a concern. Instead, we should be more concerned about us all being dragged off into the night by wolves. Simultaneously. Git hasn't promised to be secure against attacks. Just secure against corruption. Two different things. -- Mr. Aaron W. Swenson Gentoo Linux Developer PostgreSQL Herd Bull Email : titanof...@gentoo.org GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 GnuPG ID : D1BBFDA0
signature.asc
Description: Digital signature
