Re: [gentoo-dev] git security (SHA-1)

Dnia 2014-09-17, o godz. 12:36:16 Ciaran McCreesh napisał(a): > On Wed, 17 Sep 2014 07:21:08 -0400 > Tim Boudreau wrote: > > If someone wants to commit malicious code into Gentoo, they're far > > more likely to take the ugly but pragmatic approach of, say, forcing > > someone to commit malicious

Re: [gentoo-dev] git security (SHA-1)

On Wed, Sep 17, 2014 at 07:21:08AM -0400, Tim Boudreau wrote: > If someone wants to commit malicious code into Gentoo, they're far more > likely to take the ugly but pragmatic approach of, say, forcing someone to > commit malicious code at gunpoint and then shooting them, than to go to the > vast e

Re: [gentoo-dev] git security (SHA-1)

Aaron W. Swenson: > > This is what's been driving me batty. None of you verified my identity > before letting me be an official Gentoo Developer. Yet I have access to > the repo. All I had to do was complete the quizzes. > The only way to improve security in the sense of random collaborators is

Re: [gentoo-dev] git security (SHA-1)

On 2014-09-17 12:08, Ciaran McCreesh wrote: > On Wed, 17 Sep 2014 07:04:08 -0400 > "Aaron W. Swenson" wrote: > > This is what's been driving me batty. None of you verified my identity > > before letting me be an official Gentoo Developer. > > Why does that matter? My argument is Git using SHA-1

Re: [gentoo-dev] git security (SHA-1)

On Wed, 17 Sep 2014 07:21:08 -0400 Tim Boudreau wrote: > If someone wants to commit malicious code into Gentoo, they're far > more likely to take the ugly but pragmatic approach of, say, forcing > someone to commit malicious code at gunpoint and then shooting them, > than to go to the vast effort

Re: [gentoo-dev] git security (SHA-1)

If someone wants to commit malicious code into Gentoo, they're far more likely to take the ugly but pragmatic approach of, say, forcing someone to commit malicious code at gunpoint and then shooting them, than to go to the vast effort it would take to come up with malicious code that conveniently h

Re: [gentoo-dev] git security (SHA-1)

On Wed, 17 Sep 2014 07:04:08 -0400 "Aaron W. Swenson" wrote: > This is what's been driving me batty. None of you verified my identity > before letting me be an official Gentoo Developer. Why does that matter? -- Ciaran McCreesh signature.asc Description: PGP signature

Re: [gentoo-dev] git security (SHA-1)

On 2014-09-16 14:40, hasufell wrote: > Michael Orlitzky: > > To put things in perspective, all I had to do was ask for commit access > > and somebody eventually gave it to me. We should worry about this when > > breaking SHA1 becomes less expensive than the ebuild quizzes. > > Yep, that's what I'd

Re: [gentoo-dev] git security (SHA-1)

Rich Freeman wrote: > If you want to satisfy yourself I believe you can get git to dump > the contents of any object without formatting/etc. git ls-tree HEAD . git show $blobhash git show --pretty=raw HEAD //Peter

Re: [gentoo-dev] git security (SHA-1)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16/09/14 10:33 AM, Kent Fredric wrote: > > On 17 September 2014 01:44, Ian Stakenvicius > wrote: > >> bottom of the comment a clearsign on the contents of the commit? > > [...] the very best I think you could do is sign

Re: [gentoo-dev] git security (SHA-1)

Michael Orlitzky: > On 09/16/2014 10:03 AM, Rich Freeman wrote: >> >> The gpg signature is on the entire contents of the "commit." However, >> the contents of the commit do not include the files that are being >> committed - it includes hashes of the parent commit, the commit >> message, other hea

Re: [gentoo-dev] git security (SHA-1)

On 17 September 2014 01:44, Ian Stakenvicius wrote: > bottom of the comment a clearsign on the contents of the commit? > I don't see that being useful as written, because that's presently exactly what git does. the very best I think you could do is sign the commit *diff*, ie: recursively compa

Re: [gentoo-dev] git security (SHA-1)

On 09/16/2014 10:03 AM, Rich Freeman wrote: > > The gpg signature is on the entire contents of the "commit." However, > the contents of the commit do not include the files that are being > committed - it includes hashes of the parent commit, the commit > message, other headers, and the hash of th

Re: [gentoo-dev] git security (SHA-1)

On Tue, Sep 16, 2014 at 9:44 AM, Ian Stakenvicius wrote: > > If the issue preventing protection is that the gpg signature only > signs the hash, couldn't we just make repoman automatically add to the > bottom of the comment a clearsign on the contents of the commit? > The gpg signature is on the

Re: [gentoo-dev] git security (SHA-1)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15/09/14 07:59 PM, Rich Freeman wrote: > On Mon, Sep 15, 2014 at 6:11 PM, Gordon Pettey > wrote: >> >> Even if you wanted to burn the money to find that magical >> collision that actually contains working code, you've still got >> to somehow pro

Re: [gentoo-dev] git security (SHA-1)

On Mon, Sep 15, 2014 at 6:11 PM, Gordon Pettey wrote: > > Even if you wanted to burn the money to find that magical collision that > actually contains working code, you've still got to somehow propagate that > to other repositories, since they'll just ignore it for having the same hash > as an alr

Re: [gentoo-dev] git security (SHA-1)

On Tue, Sep 16, 2014 at 5:41 AM, Duy Nguyen wrote: >> Even if you wanted to burn the money to find that magical collision that >> actually contains working code, you've still got to somehow propagate that >> to other repositories, since they'll just ignore it for having the same hash >> as an alre

Re: [gentoo-dev] git security (SHA-1)

On Tue, Sep 16, 2014 at 5:11 AM, Gordon Pettey wrote: > On Mon, Sep 15, 2014 at 7:02 AM, hasufell wrote: >> >> hasufell: >> > >> > * there is no known SHA-1 collision afais >> > * calculating one isn't that hard. NSA might be able to do it in >> > reasonable time >> > * however, the algorithms to

Re: [gentoo-dev] git security (SHA-1)

On Mon, Sep 15, 2014 at 7:02 AM, hasufell wrote: > hasufell: > > > > * there is no known SHA-1 collision afais > > * calculating one isn't that hard. NSA might be able to do it in > > reasonable time > > * however, the algorithms to do that will come up with random garbage, > > so it's a complete

Re: [gentoo-dev] git security (SHA-1)

hasufell: > > * there is no known SHA-1 collision afais > * calculating one isn't that hard. NSA might be able to do it in > reasonable time > * however, the algorithms to do that will come up with random garbage, > so it's a completely different thing to hide a useful vulnerability > behind a SHA

Re: [gentoo-dev] git security (SHA-1)

On Mon, Sep 15, 2014 at 12:35 PM, hasufell wrote: > Jauhien Piatlicki: >> Hi, >> >> On 09/15/2014 01:37 AM, Kent Fredric wrote: >>> On 15 September 2014 11:25, hasufell wrote: >>> Robin said > The Git commit-signing design explicitly signs the entire commit, including blob contents,

[gentoo-dev] git security (SHA-1)

Jauhien Piatlicki: > Hi, > > On 09/15/2014 01:37 AM, Kent Fredric wrote: >> On 15 September 2014 11:25, hasufell wrote: >> >>> Robin said The Git commit-signing design explicitly signs the entire commit, >>> including blob contents, to avoid this security problem. >>> >>> Is this correct or