[cryptography] kernel.org hack and kernel integrity
dhuff at jrbobdobbs.org
Sat Sep 3 02:18:55 EDT 2011
The short answer is "tweak[ing] dates on commits" would change the commit id
which would break any other existing trees dependant on that commit and
someone would notice. Really that simple.
On Sep 2, 2011 9:19 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
> Am I the only guy who finds the kernel integrity assurances suspect :
> However, it's also useful to note that the potential damage of cracking
> kernel.org is far less than typical software repositories. That's because
> kernel development takes place using the git distributed revision control
> system, designed by Linus Torvalds. For each of the nearly 40,000 files
> in the Linux kernel, a cryptographically secure SHA-1 hash is calculated
> to uniquely define the exact contents of that file.
> I did see the claims that git had security related design goals
> (wikipedia). Unfortunately, the wikipedia reference points to a
> Torvalds talk at Google where he claims "security is distributed. and
> I trust 5, 10, 0r 15 developers [sic]"  (among his other ramblings
> and bashings). So its not clear to me how Torvalds trust a few people,
> therefore integrity is assured. And naively, I would also expect that
> the ability to do things like "tweak dates on commits" would help hide
> malicious behavior .
> Could anyone explain git's security assurances to a non-git layman?
>  http://kernel.org/
>  http://www.youtube.com/watch?v=4XpnKHJAok8, 27:43
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography