[darcs-users] patch file naming

Zooko O'Whielacronx zooko at zooko.com
Sat Mar 20 13:39:33 UTC 2004


> On the plus side, this kind of trick would most likely be noticed, as most
> likely another patch would end up failing to work on one or the other of
> the repos.  So for this to be effective, the attacker would want to choose
> a file that is rarely modified.

This line of thought is cold comfort to me.  In my opinion, the recent Linux
backdoor insertion would have worked if the attacker had inserted it into
a developer's actual patch instead of inserting it into the CVS tree.

My point is that the backdoor was sufficiently innocuous looking and
sufficiently small that it probably would not have been discovered during
casual code-reading, nor would it probably have caused merge conflicts or other
problems that would draw attention to it.

Unfortunately, I can't think of a solution to this problem in the context of
darcs.  I guess for now I'll just have to accept this risk as the price of
using darcs.

Regards,

Zooko





More information about the darcs-users mailing list