From: David Lang <david.lang@digitalinsight.com>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Petr Baudis <pasky@ucw.cz>, Simon Fowler <simon@himi.org>,
git@vger.kernel.org
Subject: Re: Re: Merge with git-pasky II.
Date: Sat, 16 Apr 2005 16:02:04 -0700 (PDT) [thread overview]
Message-ID: <Pine.LNX.4.62.0504161559140.22652@qynat.qvtvafvgr.pbz> (raw)
In-Reply-To: <Pine.LNX.4.58.0504160913180.7211@ppc970.osdl.org>
On Sat, 16 Apr 2005, Linus Torvalds wrote:
> Almost all attacks on sha1 will depend on _replacing_ a file with a bogus
> new one. So guys, instead of using sha256 or going overboard, just make
> sure that when you synchronize, you NEVER import a file you already have.
>
> It's really that simple. Add "--ignore-existing" to your rsync scripts,
> and you're pretty much done. That guarantees that a new evil blob by the
> next mad scientist out to take over the world will never touch your
> repository, and if we make this part of the _standard_ scripts, then
> dammit, security is in good _practices_ rather than just relying blindly
> on the hash being secure.
>
> In other words, I think we could have used md5's as the hash, if we just
> make sure we have good practices. And it wouldn't have been "insecure".
>
> The fact is, you don't merge with people you don't trust. If you don't
> trust them, they have a much easier time corrupting your repository by
> just creating bugs in the code and checking that thing in. Who cares about
> hash collisions, when you can generate a kernel root vulnerability by just
> adding a single line of code and use the _correct_ hash for it.
>
> So the sha1 hash does not replace _trust_. That comes from something else
> altogether.
What I am bringing up is not intended to be a trust thing, but instead a
safety thing, accidents, not evil intent. makeing the rsync scripts
--ignore-existing will avoid corrupting local data when pulling remotely,
but it won't solve the problem of running into a collision locally (and
won't do much to help you figure out what's wrong when you run into a
remote collision)
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
next prev parent reply other threads:[~2005-04-16 22:58 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 0:29 Merge with git-pasky II Petr Baudis
2005-04-13 21:25 ` Christopher Li
2005-04-14 0:45 ` Petr Baudis
2005-04-13 22:00 ` Christopher Li
2005-04-14 3:51 ` Linus Torvalds
2005-04-14 1:23 ` Christopher Li
2005-04-14 5:03 ` Paul Jackson
2005-04-14 2:16 ` Christopher Li
2005-04-14 6:16 ` Paul Jackson
2005-04-14 7:05 ` Junio C Hamano
2005-04-14 8:06 ` Linus Torvalds
2005-04-14 8:39 ` Junio C Hamano
2005-04-14 9:10 ` Linus Torvalds
2005-04-14 11:14 ` Junio C Hamano
2005-04-14 12:16 ` Petr Baudis
2005-04-14 18:12 ` Junio C Hamano
2005-04-14 18:36 ` Linus Torvalds
2005-04-14 19:59 ` Junio C Hamano
2005-04-14 20:20 ` Petr Baudis
2005-04-15 0:42 ` Linus Torvalds
2005-04-15 2:33 ` Barry Silverman
2005-04-15 10:02 ` David Woodhouse
2005-04-15 15:32 ` Linus Torvalds
2005-04-15 16:01 ` David Woodhouse
2005-04-15 16:31 ` C. Scott Ananian
2005-04-15 17:11 ` Linus Torvalds
2005-04-16 15:33 ` Johannes Schindelin
2005-04-17 13:14 ` David Woodhouse
2005-04-15 19:20 ` Paul Jackson
2005-04-16 1:44 ` Simon Fowler
2005-04-16 12:19 ` David Lang
2005-04-16 15:55 ` Simon Fowler
2005-04-16 16:03 ` Petr Baudis
2005-04-16 16:26 ` Simon Fowler
2005-04-16 16:26 ` Linus Torvalds
2005-04-16 23:02 ` David Lang [this message]
2005-04-17 14:52 ` Ingo Molnar
2005-04-17 15:08 ` Brad Roberts
2005-04-17 15:18 ` Ingo Molnar
2005-04-17 15:28 ` Ingo Molnar
2005-04-17 17:34 ` Linus Torvalds
2005-04-17 22:12 ` Herbert Xu
2005-04-17 22:35 ` Linus Torvalds
2005-04-17 23:29 ` Herbert Xu
2005-04-17 23:34 ` Petr Baudis
2005-04-17 23:53 ` Kenneth Johansson
2005-04-18 0:49 ` Herbert Xu
2005-04-18 0:55 ` Petr Baudis
2005-04-17 23:50 ` Linus Torvalds
2005-04-18 4:16 ` Sanjoy Mahajan
2005-04-18 7:42 ` Ingo Molnar
2005-04-16 20:29 ` Sanjoy Mahajan
2005-04-16 20:41 ` Linus Torvalds
2005-04-15 2:21 ` [Patch] ls-tree enhancements Junio C Hamano
2005-04-15 16:13 ` Petr Baudis
2005-04-15 18:25 ` Junio C Hamano
2005-04-15 9:14 ` Merge with git-pasky II David Woodhouse
2005-04-15 9:36 ` Ingo Molnar
2005-04-15 10:05 ` David Woodhouse
2005-04-15 14:53 ` Ingo Molnar
2005-04-15 15:09 ` David Woodhouse
2005-04-15 12:03 ` Johannes Schindelin
2005-04-15 10:22 ` Theodore Ts'o
2005-04-15 14:53 ` Linus Torvalds
2005-04-15 15:29 ` David Woodhouse
2005-04-15 15:51 ` Linus Torvalds
2005-04-15 15:54 ` Paul Jackson
2005-04-15 16:30 ` C. Scott Ananian
2005-04-15 18:29 ` Paul Jackson
2005-04-14 18:51 ` Christopher Li
2005-04-14 19:35 ` Petr Baudis
2005-04-14 20:01 ` Live Merging from remote repositories Barry Silverman
2005-04-14 23:22 ` Junio C Hamano
2005-04-15 1:07 ` Question about git process model Barry Silverman
2005-04-14 20:23 ` Re: Merge with git-pasky II Erik van Konijnenburg
2005-04-14 20:24 ` Petr Baudis
2005-04-14 23:12 ` Junio C Hamano
2005-04-14 20:24 ` Christopher Li
2005-04-14 23:31 ` Petr Baudis
2005-04-14 20:30 ` Christopher Li
2005-04-14 20:37 ` Christopher Li
2005-04-14 20:50 ` Christopher Li
2005-04-15 0:58 ` Junio C Hamano
2005-04-14 22:30 ` Christopher Li
2005-04-15 7:43 ` Junio C Hamano
2005-04-15 6:28 ` Christopher Li
2005-04-15 11:11 ` Junio C Hamano
[not found] ` <7vaco0i3t9.fsf_-_@assigned-by-dhcp.cox.net>
2005-04-15 18:44 ` write-tree is pasky-0.4 Linus Torvalds
2005-04-15 18:56 ` Petr Baudis
2005-04-15 20:13 ` Linus Torvalds
2005-04-15 22:36 ` Petr Baudis
2005-04-16 0:22 ` Linus Torvalds
2005-04-16 1:13 ` Daniel Barkalow
2005-04-16 2:18 ` Linus Torvalds
2005-04-16 2:49 ` Daniel Barkalow
2005-04-16 3:13 ` Linus Torvalds
2005-04-16 3:56 ` Daniel Barkalow
2005-04-16 6:59 ` Paul Jackson
2005-04-16 15:34 ` Re: Re: " Petr Baudis
2005-04-15 20:10 ` Junio C Hamano
2005-04-15 20:58 ` C. Scott Ananian
2005-04-15 21:22 ` Petr Baudis
2005-04-15 23:16 ` Junio C Hamano
2005-04-15 21:48 ` [PATCH 1/2] merge-trees script for Linus git Junio C Hamano
2005-04-15 21:54 ` [PATCH 2/2] " Junio C Hamano
2005-04-15 23:33 ` [PATCH 3/2] " Junio C Hamano
2005-04-16 1:02 ` Linus Torvalds
2005-04-16 4:10 ` Junio C Hamano
2005-04-16 5:02 ` Linus Torvalds
2005-04-16 6:26 ` Linus Torvalds
2005-04-16 8:12 ` Junio C Hamano
2005-04-16 9:27 ` [PATCH] Byteorder fix for read-tree, new -m semantics version Junio C Hamano
2005-04-16 10:35 ` [PATCH 1/2] Add --stage to show-files for new stage dircache Junio C Hamano
2005-04-16 10:42 ` [PATCH 2/2] " Junio C Hamano
2005-04-16 14:03 ` Issues with higher-order stages in dircache Junio C Hamano
2005-04-17 5:11 ` Junio C Hamano
2005-04-17 5:31 ` Linus Torvalds
2005-04-17 6:01 ` Junio C Hamano
2005-04-17 10:00 ` Summary of "read-tree -m O A B" mechanism Junio C Hamano
2005-04-16 15:28 ` [PATCH 3/2] merge-trees script for Linus git Linus Torvalds
2005-04-16 16:36 ` Linus Torvalds
2005-04-16 17:14 ` Junio C Hamano
2005-04-15 19:54 ` Re: Merge with git-pasky II Petr Baudis
2005-04-15 10:22 ` Junio C Hamano
2005-04-15 20:40 ` Petr Baudis
2005-04-15 22:41 ` Junio C Hamano
2005-04-15 19:57 ` Junio C Hamano
2005-04-15 20:45 ` Linus Torvalds
2005-04-14 0:30 ` Petr Baudis
2005-04-14 22:11 ` git merge Petr Baudis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.62.0504161559140.22652@qynat.qvtvafvgr.pbz \
--to=david.lang@digitalinsight.com \
--cc=git@vger.kernel.org \
--cc=pasky@ucw.cz \
--cc=simon@himi.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).