[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnu-arch-users] svn signatures (was Re: [...] crypto signatures for arc
|
From: |
Tom Lord |
|
Subject: |
[Gnu-arch-users] svn signatures (was Re: [...] crypto signatures for arch) |
|
Date: |
Sat, 13 Dec 2003 08:52:16 -0800 (PST) |
>>>= Tom Lord:
>>> There have been several (including some very recent) irc chats
>>> about adding cryptographic signatures to arch. My
>>> understanding is that there might be some people interested in
>>> implementing this. I can do this myself but I thought I'd
>>> post a plan for it here in case somebody wants to jump on it
>>> have some fun with it.
>>= Robert Collins:
>> So by my count, thats 5.5 days. You say svn are still debating??
>= Thomas Zander:
> Debating? That can mean their system is not maintainable enough,
> but also that their decision making process is too democratic...
There's plenty of other possibilities, to. For example:
a) It isn't a priority for them. I believe that they are strongly
focused on making a 1.0 release at the moment.
b) Their storage manager (archive format) makes it a much harder
problem to solve (which may or may not be regarded as a
design flaw but, in any event, is not exactly the same thing
as "not maintainable enough").
The other (perhaps more) interesting case is CVS upon which project
hosts and many many hosted projects rely. It's hard for me to imagine
how signing can be retrofit to CVS without anything less than extreme
pain.
The problem common to both CVS and svn (for signing) is that "what a
user will sign" has no direct connection to "what is stored in an
archive". Worse, "what is stored in an archive" changes over time,
even for the parts representing only historic data.
Naively, that means that to do an en-masse verification of all of the
data in all of the archives on a project host, using either svn or
cvs, it will be necessary to read the archive databases, reconstruct
"what the user signed", and verify that -- a very expensive process
that isn't suitable either for break-in recovery or for on-going
intrusion detection.
Cleverly (as opposed to naively), either system may have additional
options. Perhaps they can separately store "what the user signed"
and, for disaster recovery, simply reconstruct the archive from that
(still not cheap but hopefully "cheaper", especially if people prepare
to do that incrementally).
-t
Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch, Florian Weimer, 2003/12/07
Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch, Thomas Zander, 2003/12/08
Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch, Robert Collins, 2003/12/13
Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch, Robert Collins, 2003/12/13