From: Ingo Molnar <mingo@elte.hu>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Petr Baudis <pasky@ucw.cz>, Simon Fowler <simon@himi.org>,
David Lang <david.lang@digitalinsight.com>,
git@vger.kernel.org
Subject: Re: Re: Merge with git-pasky II.
Date: Mon, 18 Apr 2005 09:42:32 +0200 [thread overview]
Message-ID: <20050418074232.GA20119@elte.hu> (raw)
In-Reply-To: <Pine.LNX.4.58.0504171014430.7211@ppc970.osdl.org>
* Linus Torvalds <torvalds@osdl.org> wrote:
> On Sun, 17 Apr 2005, Ingo Molnar wrote:
> >
> > in fact, this attack cannot even be proven to be malicious, purely via
> > the email from Malice: it could be incredible bad luck that caused that
> > good-looking patch to be mistakenly matching a dangerous object.
>
> I really hate theoretical discussions.
i was only replying to your earlier point:
> > > Almost all attacks on sha1 will depend on _replacing_ a file with
> > > a bogus new one. So guys, instead of using sha256 or going
> > > overboard, just make sure that when you synchronize, you NEVER
> > > import a file you already have.
which point i still believe is subtly wrong. You were suggesting to
concentrate on file replacement to counter most of the practical
attacks, while i pointed out an attack _using the same basic mechanism
that your point above supposed_.
[ if you can replace a file with a known hash, with a bogus new one, and
you still have enough control over the contents of your bogus new file
that it is 1) a valid file that builds 2) compromises the kernel, then
you likely have the same amount of control my 'theoretical' attack
requires. ]
> And the thing is, _if_ somebody finds a way to make sha1 act as just a
> complex parity bit, and comes up with generating a clashing object
> that actually makes sense, then going to sha256 is likely pointless
> too [...]
yes, that's why i suggested to not actually trust the hash to be
cryptographically secure, but to just assume it's a good generic hash we
can design a DB around, and to turn -DCOLLISION_CHECK on and enforce
consistency rules on boundaries.
[ it's not bad to keep sha1 because even my suggested enhancement still
leaves 'content-less trust-pointers to untrusted content via email'
vectors open against attack (maintainer sends you an email that commit
X in Malice's repository Y is fine to pull, and you pull it blindly,
while the attacker has replaced his content with the compromised one
meanwhile), but it at least validates the bulk traffic that goes into
the DB: patches via emails and trusted repositories. ]
so all i was suggesting was to extend your suggested 'overwrite
collision check' to a stricter 'content we throw away and use the sha1
shortcut for needs to be checked against the in-DB content as well'.
in other words, your suggested 'rename check' is checking for 'positive
duplicate content', while my addition would also check for 'negative
duplicate content' as well.
but as usual, i could be wrong, so dont take this too serious :-)
Ingo
next prev parent reply other threads:[~2005-04-18 7:38 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 0:29 Merge with git-pasky II Petr Baudis
2005-04-13 21:25 ` Christopher Li
2005-04-14 0:45 ` Petr Baudis
2005-04-13 22:00 ` Christopher Li
2005-04-14 3:51 ` Linus Torvalds
2005-04-14 1:23 ` Christopher Li
2005-04-14 5:03 ` Paul Jackson
2005-04-14 2:16 ` Christopher Li
2005-04-14 6:16 ` Paul Jackson
2005-04-14 7:05 ` Junio C Hamano
2005-04-14 8:06 ` Linus Torvalds
2005-04-14 8:39 ` Junio C Hamano
2005-04-14 9:10 ` Linus Torvalds
2005-04-14 11:14 ` Junio C Hamano
2005-04-14 12:16 ` Petr Baudis
2005-04-14 18:12 ` Junio C Hamano
2005-04-14 18:36 ` Linus Torvalds
2005-04-14 19:59 ` Junio C Hamano
2005-04-14 20:20 ` Petr Baudis
2005-04-15 0:42 ` Linus Torvalds
2005-04-15 2:33 ` Barry Silverman
2005-04-15 10:02 ` David Woodhouse
2005-04-15 15:32 ` Linus Torvalds
2005-04-15 16:01 ` David Woodhouse
2005-04-15 16:31 ` C. Scott Ananian
2005-04-15 17:11 ` Linus Torvalds
2005-04-16 15:33 ` Johannes Schindelin
2005-04-17 13:14 ` David Woodhouse
2005-04-15 19:20 ` Paul Jackson
2005-04-16 1:44 ` Simon Fowler
2005-04-16 12:19 ` David Lang
2005-04-16 15:55 ` Simon Fowler
2005-04-16 16:03 ` Petr Baudis
2005-04-16 16:26 ` Simon Fowler
2005-04-16 16:26 ` Linus Torvalds
2005-04-16 23:02 ` David Lang
2005-04-17 14:52 ` Ingo Molnar
2005-04-17 15:08 ` Brad Roberts
2005-04-17 15:18 ` Ingo Molnar
2005-04-17 15:28 ` Ingo Molnar
2005-04-17 17:34 ` Linus Torvalds
2005-04-17 22:12 ` Herbert Xu
2005-04-17 22:35 ` Linus Torvalds
2005-04-17 23:29 ` Herbert Xu
2005-04-17 23:34 ` Petr Baudis
2005-04-17 23:53 ` Kenneth Johansson
2005-04-18 0:49 ` Herbert Xu
2005-04-18 0:55 ` Petr Baudis
2005-04-17 23:50 ` Linus Torvalds
2005-04-18 4:16 ` Sanjoy Mahajan
2005-04-18 7:42 ` Ingo Molnar [this message]
2005-04-16 20:29 ` Sanjoy Mahajan
2005-04-16 20:41 ` Linus Torvalds
2005-04-15 2:21 ` [Patch] ls-tree enhancements Junio C Hamano
2005-04-15 16:13 ` Petr Baudis
2005-04-15 18:25 ` Junio C Hamano
2005-04-15 9:14 ` Merge with git-pasky II David Woodhouse
2005-04-15 9:36 ` Ingo Molnar
2005-04-15 10:05 ` David Woodhouse
2005-04-15 14:53 ` Ingo Molnar
2005-04-15 15:09 ` David Woodhouse
2005-04-15 12:03 ` Johannes Schindelin
2005-04-15 10:22 ` Theodore Ts'o
2005-04-15 14:53 ` Linus Torvalds
2005-04-15 15:29 ` David Woodhouse
2005-04-15 15:51 ` Linus Torvalds
2005-04-15 15:54 ` Paul Jackson
2005-04-15 16:30 ` C. Scott Ananian
2005-04-15 18:29 ` Paul Jackson
2005-04-14 18:51 ` Christopher Li
2005-04-14 19:35 ` Petr Baudis
2005-04-14 20:01 ` Live Merging from remote repositories Barry Silverman
2005-04-14 23:22 ` Junio C Hamano
2005-04-15 1:07 ` Question about git process model Barry Silverman
2005-04-14 20:23 ` Re: Merge with git-pasky II Erik van Konijnenburg
2005-04-14 20:24 ` Petr Baudis
2005-04-14 23:12 ` Junio C Hamano
2005-04-14 20:24 ` Christopher Li
2005-04-14 23:31 ` Petr Baudis
2005-04-14 20:30 ` Christopher Li
2005-04-14 20:37 ` Christopher Li
2005-04-14 20:50 ` Christopher Li
2005-04-15 0:58 ` Junio C Hamano
2005-04-14 22:30 ` Christopher Li
2005-04-15 7:43 ` Junio C Hamano
2005-04-15 6:28 ` Christopher Li
2005-04-15 11:11 ` Junio C Hamano
[not found] ` <7vaco0i3t9.fsf_-_@assigned-by-dhcp.cox.net>
2005-04-15 18:44 ` write-tree is pasky-0.4 Linus Torvalds
2005-04-15 18:56 ` Petr Baudis
2005-04-15 20:13 ` Linus Torvalds
2005-04-15 22:36 ` Petr Baudis
2005-04-16 0:22 ` Linus Torvalds
2005-04-16 1:13 ` Daniel Barkalow
2005-04-16 2:18 ` Linus Torvalds
2005-04-16 2:49 ` Daniel Barkalow
2005-04-16 3:13 ` Linus Torvalds
2005-04-16 3:56 ` Daniel Barkalow
2005-04-16 6:59 ` Paul Jackson
2005-04-16 15:34 ` Re: Re: " Petr Baudis
2005-04-15 20:10 ` Junio C Hamano
2005-04-15 20:58 ` C. Scott Ananian
2005-04-15 21:22 ` Petr Baudis
2005-04-15 23:16 ` Junio C Hamano
2005-04-15 21:48 ` [PATCH 1/2] merge-trees script for Linus git Junio C Hamano
2005-04-15 21:54 ` [PATCH 2/2] " Junio C Hamano
2005-04-15 23:33 ` [PATCH 3/2] " Junio C Hamano
2005-04-16 1:02 ` Linus Torvalds
2005-04-16 4:10 ` Junio C Hamano
2005-04-16 5:02 ` Linus Torvalds
2005-04-16 6:26 ` Linus Torvalds
2005-04-16 8:12 ` Junio C Hamano
2005-04-16 9:27 ` [PATCH] Byteorder fix for read-tree, new -m semantics version Junio C Hamano
2005-04-16 10:35 ` [PATCH 1/2] Add --stage to show-files for new stage dircache Junio C Hamano
2005-04-16 10:42 ` [PATCH 2/2] " Junio C Hamano
2005-04-16 14:03 ` Issues with higher-order stages in dircache Junio C Hamano
2005-04-17 5:11 ` Junio C Hamano
2005-04-17 5:31 ` Linus Torvalds
2005-04-17 6:01 ` Junio C Hamano
2005-04-17 10:00 ` Summary of "read-tree -m O A B" mechanism Junio C Hamano
2005-04-16 15:28 ` [PATCH 3/2] merge-trees script for Linus git Linus Torvalds
2005-04-16 16:36 ` Linus Torvalds
2005-04-16 17:14 ` Junio C Hamano
2005-04-15 19:54 ` Re: Merge with git-pasky II Petr Baudis
2005-04-15 10:22 ` Junio C Hamano
2005-04-15 20:40 ` Petr Baudis
2005-04-15 22:41 ` Junio C Hamano
2005-04-15 19:57 ` Junio C Hamano
2005-04-15 20:45 ` Linus Torvalds
2005-04-14 0:30 ` Petr Baudis
2005-04-14 22:11 ` git merge Petr Baudis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050418074232.GA20119@elte.hu \
--to=mingo@elte.hu \
--cc=david.lang@digitalinsight.com \
--cc=git@vger.kernel.org \
--cc=pasky@ucw.cz \
--cc=simon@himi.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).