This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Notes from the version control BOF at the summit

    > From: Florian Weimer <fw@deneb.enyo.de>

    > * Ian Lance Taylor:

    > > For accidental repository corruption, we have backups.  For deliberate
    > > repository corruption, digital signatures don't help, except to pin
    > > down precisely who did it.

    > The general belief is that developer machines are secure, while the
    > repository server is insecure.  The primary cause for that belief is
    > that so far, we have no publicly documented case in which a developer
    > machine was compromised, but several high-profile cases which involve
    > repositories or distribution sites.

    > However, digital signatures (if done right) can aid in recovery from a
    > break-in, but so can a good, multi-generation backup.

A fine point:

Signatures in a revision control system (as in arch) can aid in
_discovery_ of a break-in.  Multi-generation backup can not do that
absent additional infrustructure to compare backup to actuality and,
even so, a multi-generation backup strategy can not detect a breakin
before there is a chance that some process will use the bogus data.
Signature checking built-in to the revision control system guarantees
(or should, anyway) that bogosified data is never used -- it's
detected as being bogosified as soon as it matters.

Of course, if the committers private keys are compromised then all
bets are off -- but at least with signatures there is another layer of
protection there.

-t
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]