This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Notes from the version control BOF at the summit

From: Paul Koning <pkoning at equallogic dot com>
To: lord at emf dot net
Cc: fw at deneb dot enyo dot de, gcc at gcc dot gnu dot org
Date: Tue, 8 Jun 2004 09:29:35 -0400
Subject: Re: Notes from the version control BOF at the summit
References: <20040604.232958.41628907.wlandry@ucsd.edu><m3smda3yhn.fsf@gossamer.airs.com><y0m8yezcqqk.fsf@toenail.toronto.redhat.com><m3n03fxlxm.fsf@gossamer.airs.com><87hdtnumu7.fsf@deneb.enyo.de><200406072312.QAA24595@morrowfield.regexps.com>

>>>>> "Tom" == Tom Lord <lord@emf.net> writes:

 Tom> A fine point:

 Tom> Signatures in a revision control system (as in arch) can aid in
 Tom> _discovery_ of a break-in.  Multi-generation backup can not do
 Tom> that absent additional infrustructure to compare backup to
 Tom> actuality and, even so, a multi-generation backup strategy can
 Tom> not detect a breakin before there is a chance that some process
 Tom> will use the bogus data.  Signature checking built-in to the
 Tom> revision control system guarantees (or should, anyway) that
 Tom> bogosified data is never used -- it's detected as being
 Tom> bogosified as soon as it matters.

 Tom> Of course, if the committers private keys are compromised then
 Tom> all bets are off -- but at least with signatures there is
 Tom> another layer of protection there.

I must be missing something here.

SSH (as currently deployed in the GCC project) uses digital signatures
for authentication.

So right now we have digital signature protection.  If the repository
servers are otherwise secure, you'd need to break SSH to compromise
CVS.

On the other hand, if the private key of an authorized write-access
maintainer is compromised, then the repository can be tampered with
(but the history would show that).

You could require TWO signatures with TWO private keys, but that just
creates such operational pain that it's unlikely to add security.
(Extra mechanism that's too painful will only be circumvented.)

Or did you mean cryptographic checksums (e.g., md5sum) computed and
recorded at the repository server?  Those checksums -- if securely
recorded -- gives you an extra mechanism to track changes to the
repository.  If these are collected outside the CVS machinery this
will also catch modifications made by going around CVS.  Those are
probably the most interesting because those are the ones that the
checkin history doesn't show.

Note that cryptographic checksums are sufficient for this -- digital
signatures are overkill.  At a server, that's an important difference
because giving a daemon a private key (securely) is hard.

	paul

Follow-Ups:
- Re: Notes from the version control BOF at the summit
  - From: Frank Ch. Eigler
- Re: Notes from the version control BOF at the summit
  - From: Tom Lord

References:
- Re: Notes from the version control BOF at the summit
  - From: Walter Landry
- Re: Notes from the version control BOF at the summit
  - From: Ian Lance Taylor
- Re: Notes from the version control BOF at the summit
  - From: Frank Ch. Eigler
- Re: Notes from the version control BOF at the summit
  - From: Ian Lance Taylor
- Re: Notes from the version control BOF at the summit
  - From: Florian Weimer
- Re: Notes from the version control BOF at the summit
  - From: Tom Lord

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]