Tom Lord <lord@emf.net> said: > Think of it this way: > > (a) Joe, the mainline maintainer, gets a trusted message containing > a diff. > > (b) Joe reads the diff, it makes great sense, he wants to merge. > > (c) Joe downloads a tree. Supposedly that tree is the result of > applying this diff. The tree, not the diff, is used for > merging. > > You can see the logical whole there... now the practical one: > > > (d) Joe is repeating (a..c) at an unfathomably high rate. > At a low rate, he could be double-checking enough that > that the diff-vs-tree problem isn't that serious. But > at the rate he operates, exploits appear all along the > patch-flow pipeline because so much stuff goes unchecked. > > Joe may be scan the changes he's merged before committing but, > if his rate is high, that scan *must*, out of biological and > physical necessity, be shallow. Exploits can occur on the > submitter machine, in the communication channel, and on Joe's > machine. Social exploits can occur because of the separation > between a submitter saying "this is what I'm doing" vs. the reality > of what the submitter is doing. Now pray tell how Joe signing one, two, three, or none of the things he is juggling makes any difference here. -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513 - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.htmlReceived on Sat Apr 30 07:48:46 2005
This archive was generated by hypermail 2.1.8 : 2005-04-30 07:49:16 EST