Re: GPG-Signed Commits and RCS Keyword exploit [long]

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG-Signed Commits and RCS Keyword exploit [long]

From:	Derek Price
Subject:	Re: GPG-Signed Commits and RCS Keyword exploit [long]
Date:	Thu, 22 Sep 2005 10:58:41 -0400
User-agent:	Mozilla Thunderbird 1.0.6 (Windows/20050716)

Jim Hyslop wrote:

> will this be signed as if I am checking in the un-expanded keyword,
> i.e. as if the file contains:

No.  Whatever content the file contains will be signed as is (after line
endings are converted for test files).  If keywords are spotted, the
user will see a warning or error like:

    cvs commit: warning: Detected keywords in signed file `dir/foo'.

or

    cvs [commit aborted]: Detected keywords in signed file `dir/foo'.

Whether this is a warning or an error will probably depend on a command
line option, though I haven't decided for certain yet.

The implications of this are that keyword replacement would still happen
on checkout and signatures would always fail to validate, unless the
files are checked out -ko, in which case they could still be validated.

Regards,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek@ximbiot.com>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [task #4633] GPG-Signed Commits, (continued)

Prev by Date: Re: GPG-Signed Commits and RCS Keyword exploit [long]
Next by Date: Re: [task #4633] GPG-Signed Commits
Previous by thread: Re: GPG-Signed Commits and RCS Keyword exploit [long]
Next by thread: Re: [task #4633] GPG-Signed Commits
Index(es):
- Date
- Thread