[darcs-users] Re: signing of patches

David Roundy droundy at abridgegame.org
Sat Dec 4 13:16:49 UTC 2004


On Thu, Dec 02, 2004 at 10:58:30PM +0100, Karel Gardas wrote:
> ...[problems with signed patch bundle repository idea]...
> 1) push from not-updated repository leads to merging in untrusted domain,
...
> 2) push also updates inventory and its verification might not be so
... [and reordering]
> Both points (1) and (2) mean that get/pull commands patch verification
> support will be quite complex in comparison with Jorgen proposal where we
> will need to just verify simple signatures on individual files, all
> patches used and inventory.

Agreed, this will be a pain to implement, and could greatly slow down darcs
(a scary thought).  But it is a solveable problem that "just needs
implementation."

> 3) enhancing repository by patch-bundles is kind of divergence from
> symetric model taken by darcs, since then we will end with "patch bundles"
> repositories and "normal" repositories, at least that's my "feeling" about
> it

This is more of an issue.  The patch bundle repository idea is quite a
nasty one.  Its advantage is that you *always* have the signature of
the original creator of each patch, regardless of how much merging goes
on.  This is not a trivial advantage.

> My own proposal to this discussion is:
...
> What do you think about it?

Basically, the idea is that whenever a patch's contents change, we need to
re-sign it? Or probably more precisely, whenever a patche's *context*
changes we need to re-sign it.  This means losing the original developer's
signature.  For this to be secure, we still can't only sign the patch file
itself, unless the same person also signs the inventory, since someone
could take that patch file and reorder it in order to introduce a bug.

In fact, separately signing the inventory and patch files gives us no
security whatsoever, since someone could then craft a repository out of
combinations of the signed (by me) patches and inventories of the darcs and
darcs-unstable repositories and thus create a corrupt repo.  It would be a
pain to do this in a way that introduces a security hole, but it would be
possible.  And it would be very easy to simply introduce corruption into
the system, which would be enough to be very annoying.

However, if the signatures of each patch is a signature of a patch bundle
(which also contains the context), this wouldn't be so bad.  But of course,
then we're getting back to something more like the patch bundle repository
idea.

But if we modify your idea only be making the signatures of the patches be
"patch bundle signatures", we could create the patch bundles on the fly and
then verify the signature.  We wouldn't have the "patch bundle repository"
idea advantage of preserving the original signatures, but at least we'd be
able to confirm that the repository is signed by a single person.  In some
cases (where no merge was performed) we could also preserve the original
contributor's signature.
-- 
David Roundy
http://www.darcs.net




More information about the darcs-users mailing list