Re: [Gnu-arch-users] Re: Auto-registration

[Brian May]

>>>>> "Robert" == Robert Collins <address@hidden> writes:

    Robert> Use it. The user has decided where they want that archive

Not necessarily. Consider the security implications, if the user
doesn't know what an archive is registered as beforehand.

I could tell somebody "to test my new tree, please use my archive at:
<URL>".

The luser then enters the fetch command, and it registers the archive
and downloads. In fact, to the luser everything appears OK.

However, the luser may not have noticed that I created my archive by
creating a mirror of address@hidden (and removed the mirror
flag). So now, any updates/commits (Ok, lets assume the luser has
write access, not true for this archive) will now to my mirror instead
of the correct mirror.

Sure, signatures might provide an early warning sign if I alter the
contents, but only if I don't somehow fool the user into believing
that is expected.

It would be very simple just to fail to keep the mirror up-to-date, so
the luser fails to get security updates.

    Robert> to be found.  If you want to be nice, emit 'Using existing
    Robert> registration for archive FOO at BAR'.

Might help, only if the luser notices though...


As a "almost-related" security question:

Lets say I have an arch project, and somebody fraudulently commits a
back door to it in --patch-50. Nobody notices, because the key used
for signing it was fine, just not authorised to commit to this archive
(or similar). Other developers commit --patch-51 .. --patch-60.

Finally the back door is discovered.

How do you remove the back door?

One way I have considered is:

tla replay --reverse $revision--patch-50
tla commit -s "Remove back door"

However, this will also remove the patch log for patch-50, so patch 50
will get listed in the output of "whats-missing". Also, the backdoor
will remain in patch-51 .. patch-60 (although maybe this is considered
a good thing?) So what is the best way?

Just curious.
-- 
Brian May <address@hidden>