Signing snapshots
Aaron Bentley
aaron.bentley at utoronto.ca
Tue Jun 21 12:00:53 BST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
Part of the plan for signing in bzr was to sign the snapshot, not the
data generated from it (i.e. the revision store gzips or whatever).
In #arch, Andrew Suffield has listed a couple of reasons why he thinks
this is a terrible idea.
00:29 < abentley> asuffield: let's say as a straw-man, we took an
inventory of the tree, with SHA-1 sums, sorted that
inventory in a rigorously defined way, and signed it. What
kind of holes would you expect to find?
00:30 < asuffield> abentley: I would expect to find DoS attacks against
the inventory process and ways to slip files past it
which never appear in the inventory, and that's
without even thinking about it
00:31 < asuffield> I would also expect to find implementation bugs that
were exploitable, probably suitable for remote
arbitrary code execution
He also pointed out that there have been exploits against gzip in the
past, that that, in his estimate neither tar nor gzip can be considered
secure. Good thing we don't use tar, I guess :-)
Anyhow, I thought that these issues were worth discussing.
Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCt/Nl0F+nu1YWqI0RAhy7AJ0WbNibIqB22aAMJNrMi02lwFoW/wCfWJRA
DnlaUSIES0k27RUk93TC4vE=
=RbEc
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list