[cryptography] kernel.org hack and kernel integrity

Douglas Huff dhuff at jrbobdobbs.org
Sat Sep 3 02:18:55 EDT 2011


The short answer is "tweak[ing] dates on commits" would change the commit id
which would break any other existing trees dependant on that commit and
someone would notice. Really that simple.

-- 
Douglas Huff
On Sep 2, 2011 9:19 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
> Am I the only guy who finds the kernel integrity assurances suspect [1]:
>
> However, it's also useful to note that the potential damage of cracking
> kernel.org is far less than typical software repositories. That's because
> kernel development takes place using the git distributed revision control
> system, designed by Linus Torvalds. For each of the nearly 40,000 files
> in the Linux kernel, a cryptographically secure SHA-1 hash is calculated
> to uniquely define the exact contents of that file.
>
> I did see the claims that git had security related design goals
> (wikipedia). Unfortunately, the wikipedia reference points to a
> Torvalds talk at Google where he claims "security is distributed. and
> I trust 5, 10, 0r 15 developers [sic]" [2] (among his other ramblings
> and bashings). So its not clear to me how Torvalds trust a few people,
> therefore integrity is assured. And naively, I would also expect that
> the ability to do things like "tweak dates on commits" would help hide
> malicious behavior [3].
>
> Could anyone explain git's security assurances to a non-git layman?
>
> [1] http://kernel.org/
> [2] http://www.youtube.com/watch?v=4XpnKHJAok8, 27:43
> [3]
https://git.wiki.kernel.org/index.php/GitFaq#How_can_I_tweak_the_date_of_a_commit_in_the_repo.3F
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110903/880ea00f/attachment.html>


More information about the cryptography mailing list