gnu-arch-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] (fairly minor) SECURITY ISSUE


From: Tom Lord
Subject: Re: [Gnu-arch-users] (fairly minor) SECURITY ISSUE
Date: Tue, 20 Jan 2004 19:45:59 -0800 (PST)


    > From: Colin Walters <address@hidden>

    > > Anyone care to suggest the best revision?

    > I think we should take this opportunity to switch to detached
    > signatures.  [....] The advantages of this are that it doesn't
    > require parsing the checksum file, and also we can have multiple
    > people sign a single revision (just add more signatures in
    > sigs/).

This is a fairly bogus idea, unfortunately.  Which of many signatures
should arch use to check a file?  Which should it fetch from a server?
You go on to suggest that .check scripts should be pointed at a
directory of all available signatures but that has two drawbacks:  1)
it requires the creation of a temporary directory (the current
interfact to .check scripts does not require tmp files at all) and 2)
it needlessly increases the number of (archive) filesystem
transactions needed to examine a given revision.

Anyway: What is the semantic significance of multiply signed revisions
and why doesn't that functionality belong elsewhere?  The purpose of
signatures in arch is to help to preserve archive integrity.  Period.

Arch's syntax requirement on signing tools is pretty unobtrusive.  It
requires that it be able to unambiguously find it's pretty
conservative syntax for checksums amidst whatever noise is introduced
by whatever signing process is used. 

-t





reply via email to

[Prev in Thread] Current Thread [Next in Thread]