* Ingo Molnar <[EMAIL PROTECTED]> wrote:
> The compromise relies on you having reviewed something harmless, while
> in reality what happened within the DB was far less harmless. And the
> DB remains self-consistent: neither fsck, nor others importing your
> tree will be able to detect the compromise. This attack can only be
> detected when you apply the patch, after that point all the
> information (except Malice's message in your inbox) is gone.
in fact, this attack cannot even be proven to be malicious, purely via
the email from Malice: it could be incredible bad luck that caused that
good-looking patch to be mistakenly matching a dangerous object.
In fact this could happen even today, _accidentally_. (but i'm willing
to bet that hell will be freezing over first, and i'll have some really
good odds ;) There's probably a much higher likelyhood of Linus' tree
getting corrupted in some old fashioned way and introducing a security
hole by accident)
Ingo
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
