This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Notes from the version control BOF at the summit
> From: Florian Weimer <fw@deneb.enyo.de>
> * Ian Lance Taylor:
> > For accidental repository corruption, we have backups. For deliberate
> > repository corruption, digital signatures don't help, except to pin
> > down precisely who did it.
> The general belief is that developer machines are secure, while the
> repository server is insecure. The primary cause for that belief is
> that so far, we have no publicly documented case in which a developer
> machine was compromised, but several high-profile cases which involve
> repositories or distribution sites.
> However, digital signatures (if done right) can aid in recovery from a
> break-in, but so can a good, multi-generation backup.
A fine point:
Signatures in a revision control system (as in arch) can aid in
_discovery_ of a break-in. Multi-generation backup can not do that
absent additional infrustructure to compare backup to actuality and,
even so, a multi-generation backup strategy can not detect a breakin
before there is a chance that some process will use the bogus data.
Signature checking built-in to the revision control system guarantees
(or should, anyway) that bogosified data is never used -- it's
detected as being bogosified as soon as it matters.
Of course, if the committers private keys are compromised then all
bets are off -- but at least with signatures there is another layer of
protection there.
-t