[Monotone-devel] Query regarding internal consistency checking

[Nathaniel Smith]

Suppose I discover that Bob is about to commit a version containing a
changed file with version code 12345, but he hasn't committed it yet.
(Say, because I say the patch he sent to the list for review.)

Suppose I then connect to a netsync server and say "here's the file
with version code 12345", and hand it a different file, one containing
malicious code.  And then Bob actually gets around to doing his commit
and pushing to the server, and the server doesn't actually ask for
file version 12345, because it already has it.  And the server now has
a manifest that Bob attests is good, containing file 12345.

And now someone else syncs this into their database, and says "hey, a
new version, and signed by Bob -- I trust him", checks out that
version, compiles and runs it, and has something nasty happen to
their system as a result.

My question: is this plausible?  if not, when will things break down?
Presumably things will get wonky eventually (like the next time Bob
modifies that file, and sends out xdeltas that create garbage in
everyone's else's checkout), but by that time the damage may have
already been done -- and with careful choice of Bob and file, it might
be a very long time coming.

-- Nathaniel

-- 
Details are all that matters; God dwells there, and you never get to
see Him if you don't struggle to get them right. -- Stephen Jay Gould