|
| From: | William Uther |
| Subject: | [Monotone-devel] Re: Monotone Security |
| Date: | Mon, 20 Oct 2008 11:14:12 +1100 |
Hi,Just one thought about monotone security, which I didn't notice in your list, but may have missed.
Monotone signs revisions. However, it trusts not just the revision signed by someone, but all ancestors of that revision as well. This means that if you can slide a bad change past one trusted person, monotone will not warn anyone else.
e.g. Alice and Bob are working on a project together. Charlie wants to slip in a patch.
Alice and Bob both have each others public keys. Alice has her repository set up so that she only sees revisions signed by Bob.
Bob is a little more lax. He has the default setup where he sees everyone's revisions.
Let's imagine that Charlie manages to get a revision (signed only by Charlie) into Bob's repository.
At this point, if Bob and Alice synchronise repositories, then depending upon Alice's settings either she wont get Charlie's revision at all, or she'll get a copy of it, but Alice's system will ignore it because it isn't signed by someone she trusts. In either case, things are secure.
Now let's imagine that Bob merges all heads in his database, but without fully checking Charlie's change. At this point, Bob signs the newly merged revision.
If Alice and Bob synchronise repositories at this point, then Alice will end up with a copy of Charlie's revision regardless of her trust settings regarding Charlie (she might not end up with Charlie's rev's certs, but she will get the rev). Moreover, she'll get the merged revision which incorporates both Bob and Charlie's changes, and this revision will be signed by Bob.
The end result is that if you can slip a change past one trusted person, Monotone will not complain about it.
Notes:The first thing to note about this is that it is a feature more than a bug. It means that people can merge in patches submitted by third parties.
The second thing to note is that it would be possible to make a trust hook that checked not only a revision, but all of its ancestors to make sure they were signed correctly. This would close the hole, but it would be inefficient and also close the feature.
The third thing to note is that in normal usage, monotone chains trust. You trust not just the people you trust, but everyone they trust, and everyone they trust... It really is worth reviewing patches even from people you 'trust'. (Most bugs are unintentional anyway. Code reviews are good.)
Be well, Will :-}
| [Prev in Thread] | Current Thread | [Next in Thread] |