From: Kevin Smith <yarcs@qualitycode.com>
To: Tom Lord <lord@emf.net>
Cc: git@vger.kernel.org
Subject: Signed commit vulnerabilities? (was: Mercurial 0.4b vs git patchbomb benchmark)
Date: Fri, 29 Apr 2005 16:29:24 -0400 [thread overview]
Message-ID: <42729924.6090308@qualitycode.com> (raw)
In-Reply-To: <200504291954.MAA27561@emf.net>
Tom Lord wrote:
> > Call me a naive git, but seems to me the "git way" is a little
> > different. It's tree-based rather than diff-based, and doesn't involve
> > passing diffs around, right?
>
> Isn't that a significant part of what I said? Go back and read more
> carefully, is my suggestion.
>
> > Or am I missing something?
>
> Very much so.
So far, this is a frustrating conversation to watch. Here's my own
interpretation, presented to help the participants understand whether or
not their intended messages are getting through clearly.
Originally, Tom seemed to claim that the problem was that git requires
you to sign an entire tree, rather than a diff, even though the signer
is only vouching for their diff.
Linus responded by saying that a git signature of a tree would match
that description, but signing a commit is different. I think he claimed
that (by convention) signing a commit ONLY means you are signing the
most recent change, which turned tree A into tree B.
Tom then appeared to propose some specific attacks that could work
against the git model. The precondition seems to be if the patch
receiver does not exhaustively analyze each and every patch. The
receiver trusts the contents based solely on who signed the commit object.
One category of attacks were that a computer or communication channel
was broken. It's not immediately clear to me how git's model contributes
any weakness to these cases, compared to other signing strategies.
The other category of attack mentioned was social, such as a signer
creating a patch that claims to do one thing, but actually does another.
Again, I don't see how git is weaker in this case than any other tool.
Noel then pointed out that in practice, someone receiving a signed
commit in git would view the commit comments and the diff, so the effect
is similar to having the diff itself be signed.
And that's where we are right now. So, from here, it looks like Tom
needs to be more specific about which attacks might be more effective
against git's signing strategy than against signed diffs.
Kevin
next prev parent reply other threads:[~2005-04-29 20:28 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-26 0:41 Mercurial 0.3 vs git benchmarks Matt Mackall
2005-04-26 1:49 ` Daniel Phillips
2005-04-26 2:08 ` Linus Torvalds
2005-04-26 2:30 ` Mike Taht
2005-04-26 3:04 ` Linus Torvalds
2005-04-26 4:00 ` Linus Torvalds
2005-04-26 11:13 ` Chris Mason
2005-04-26 15:09 ` Magnus Damm
2005-04-26 15:38 ` Chris Mason
2005-04-26 16:23 ` Magnus Damm
2005-04-26 18:18 ` Chris Mason
2005-04-26 20:56 ` Andrew Morton
2005-04-26 21:07 ` Linus Torvalds
2005-04-26 22:50 ` H. Peter Anvin
2005-04-26 22:56 ` Andrew Morton
2005-04-26 23:43 ` H. Peter Anvin
2005-04-27 15:01 ` Florian Weimer
2005-04-27 15:13 ` Thomas Glanzmann
2005-04-27 18:54 ` H. Peter Anvin
2005-04-27 19:01 ` Thomas Glanzmann
2005-04-27 19:57 ` Theodore Ts'o
2005-04-27 20:06 ` Thomas Glanzmann
2005-04-27 20:35 ` H. Peter Anvin
2005-04-27 20:39 ` Thomas Glanzmann
2005-04-27 20:47 ` Florian Weimer
2005-04-27 20:55 ` Florian Weimer
2005-04-27 21:04 ` H. Peter Anvin
2005-04-27 21:06 ` Florian Weimer
2005-04-27 21:32 ` Theodore Ts'o
2005-04-27 19:55 ` Theodore Ts'o
2005-04-27 6:34 ` Ingo Molnar
2005-04-27 21:10 ` Bill Davidsen
2005-04-27 21:39 ` Linus Torvalds
2005-04-26 16:42 ` Linus Torvalds
2005-04-26 17:39 ` Chris Mason
2005-04-26 19:52 ` Chris Mason
2005-04-26 18:15 ` H. Peter Anvin
2005-04-26 20:30 ` Bill Davidsen
2005-04-26 16:11 ` Bill Davidsen
2005-04-26 4:01 ` Matt Mackall
2005-04-26 4:20 ` Linus Torvalds
2005-04-26 4:09 ` Chris Wedgwood
2005-04-26 4:22 ` Andreas Gal
2005-04-26 4:22 ` Linus Torvalds
2005-04-29 6:01 ` Mercurial 0.4b vs git patchbomb benchmark Matt Mackall
2005-04-29 6:40 ` Sean
2005-04-29 7:40 ` Matt Mackall
2005-04-29 8:40 ` Sean
2005-04-29 14:34 ` Linus Torvalds
2005-04-29 15:18 ` Morten Welinder
2005-04-29 16:52 ` Matt Mackall
2005-05-02 16:10 ` Bill Davidsen
2005-05-02 19:02 ` Sean
2005-05-02 22:02 ` Linus Torvalds
2005-05-02 22:30 ` Matt Mackall
2005-05-02 22:49 ` Linus Torvalds
2005-05-03 0:00 ` Matt Mackall
2005-05-03 2:48 ` Linus Torvalds
2005-05-03 3:29 ` Matt Mackall
2005-05-03 4:18 ` Linus Torvalds
2005-05-03 4:24 ` Linus Torvalds
2005-05-03 4:27 ` Matt Mackall
2005-05-03 8:45 ` Chris Wedgwood
2005-04-29 15:44 ` Tom Lord
2005-04-29 15:58 ` Linus Torvalds
2005-04-29 17:34 ` Tom Lord
2005-04-29 17:56 ` Linus Torvalds
2005-04-29 18:08 ` Tom Lord
2005-04-29 18:33 ` Sean
2005-04-29 18:54 ` Tom Lord
2005-04-29 19:13 ` Sean
2005-04-29 19:22 ` Tom Lord
2005-04-29 19:28 ` Tom Lord
2005-04-29 19:47 ` Noel Maddy
2005-04-29 19:54 ` Tom Lord
2005-04-29 20:13 ` Andrew Timberlake-Newell
2005-04-29 20:26 ` Tom Lord
2005-04-29 20:57 ` Andrew Timberlake-Newell
2005-04-29 20:16 ` Morgan Schweers
2005-04-29 20:21 ` Noel Maddy
2005-04-29 20:42 ` git network protocol David Lang
2005-04-29 21:15 ` Daniel Barkalow
2005-04-29 20:44 ` Mercurial 0.4b vs git patchbomb benchmark Tom Lord
2005-04-29 21:57 ` Denys Duchier
2005-04-29 20:29 ` Kevin Smith [this message]
2005-04-29 21:45 ` Horst von Brand
2005-05-02 21:06 ` Tom Lord
2005-05-03 0:24 ` Kevin Smith
2005-05-02 16:15 ` Bill Davidsen
2005-04-29 16:37 ` Matt Mackall
2005-04-29 17:09 ` Linus Torvalds
2005-04-29 19:12 ` Matt Mackall
2005-04-29 19:50 ` Linus Torvalds
2005-04-29 20:23 ` Matt Mackall
2005-04-29 20:49 ` Linus Torvalds
2005-04-29 21:20 ` Matt Mackall
2005-04-29 16:46 ` Bill Davidsen
2005-04-29 20:19 ` Andrea Arcangeli
2005-04-29 22:30 ` Olivier Galibert
2005-04-29 22:47 ` Andrea Arcangeli
2005-04-29 20:30 ` Andrea Arcangeli
2005-04-29 20:39 ` Matt Mackall
2005-04-30 2:52 ` Andrea Arcangeli
2005-04-30 15:20 ` Matt Mackall
2005-04-30 16:37 ` Andrea Arcangeli
2005-05-02 15:49 ` Bill Davidsen
2005-05-02 16:14 ` Valdis.Kletnieks
2005-05-03 17:40 ` Bill Davidsen
2005-05-04 2:10 ` Mercurial 0.4b vs git patchbomb benchmark (/usr/bin/env again) David A. Wheeler
2005-05-02 16:17 ` Mercurial 0.4b vs git patchbomb benchmark Andrea Arcangeli
2005-05-02 16:31 ` Linus Torvalds
2005-05-02 17:18 ` Daniel Jacobowitz
2005-05-02 17:32 ` Linus Torvalds
2005-05-02 18:17 ` Edgar Toernig
2005-05-02 20:54 ` Sam Ravnborg
2005-05-02 17:20 ` Ryan Anderson
2005-05-02 17:31 ` Linus Torvalds
2005-05-02 21:17 ` Kyle Moffett
2005-05-03 17:43 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42729924.6090308@qualitycode.com \
--to=yarcs@qualitycode.com \
--cc=git@vger.kernel.org \
--cc=lord@emf.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).