[darcs-users] Security

David Roundy droundy at abridgegame.org
Tue Dec 28 16:15:45 UTC 2004


On Mon, Dec 27, 2004 at 04:34:34PM +0100, Peter Busser wrote:
> On Monday 27 December 2004 15:41, you wrote:
> > Fundamentally, if someone can use an unrelated hole to break in to a
> > master repo server, game's over, they can hand-edit the repo to slide
> > their trojan in no matter what. But as long as they have to try and
> > slip their mods in through the normal flow of the code mgmt system, I
> > think darcs's design may make it as robust as any and more so than most
> > at giving maintainers good odds of catching sneaky stuff before it gets
> > published.
> 
> That is true for situations where there is no additional security
> provided to protect the repository. If you would have e.g. GnuPG signed
> files, then you would not just have to hack the machine, but also have to
> somehow get the private key used + passphrase. This would make silently
> introducing trojans harder to do and easier to detect.

Indeed, this has been discussed recently, and we now have a decent idea as
to how to allow signed repositories.  One should be able to keep the
signing key on a separate computer (or removable disk) that isn't
publically accessible, and either push changes or send them as signed patch
bundles via email, which would make it rather hard to modify a repository,
even if one cracked into its hosting machine.

So now it'll just take time and thought to implement this.  You could
search the archives for a thread started by Karel sometime in the past
month or so.  I had some earlier ideas, but they weren't as clean as what
came out of that discussion.

The basic idea is two-staged.  First we need to add checksums to the
inventory files, probably by adding a second alternate inventory file, for
backwards compatibility.  Then we add a mechanism for signing the inventory
files, which is now sufficient to verify the entire repository.
-- 
David Roundy
http://www.darcs.net




More information about the darcs-users mailing list