[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] GNU Arch review - am I accurate?

From: Andrew Suffield
Subject: Re: [Gnu-arch-users] GNU Arch review - am I accurate?
Date: Sun, 7 Mar 2004 18:28:42 +0000
User-agent: Mutt/

On Sun, Mar 07, 2004 at 12:22:59PM -0600, Charles Duffy wrote:
> On Thu, 2004-03-04 at 05:00, Andrew Suffield wrote:
> > On Wed, Mar 03, 2004 at 07:07:09AM +0000, David A. Wheeler wrote:
> > > The signatures sign the revision number as well as the change itself
> > > (they're both encoded in the signed tarball), so an attacker can't
> > > just change the patch order and can't silently remove a patch and
> > > renumber the later patches without detection. However, it appears to
> > > me that such signatures (at least as currently implemented) cannot
> > > detect the malicious substitution of whole signed patches (such as
> > > the silent replacement of a previous security fix with a non-fix),
> > > or removal of the "latest" fix before anyone else uses it.
> > 
> > This problem is not specific to arch. It's a fundamental limitation of
> > cryptographic signatures. There is no way that you can ever tell
> > whether you are looking at the latest copy of the tree, or whether
> > you're looking at a snapshot that a hostile interloper took yesterday
> > and has substituted for the new one. I don't believe it is even
> > theoretically possible to solve this problem in any system that is
> > based on signatures.
> There are things that could be done about it, though: Signature 
> chaining, for instance, would mean that substitution would have to be
> done not on a single revision alone but on all future revisions as well.
> Sure, it's not a complete solution, but it could well be better than
> nothing.

I don't believe this is an attack vector in the current system. You
can't insert an unsigned changeset in the middle of a sequence, or
remove a changeset, without tla noticing and stopping. All you can do
is stop adding *any* new changesets.

  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' : |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]