Re: [OT] USENIX paper on Git

On Wed, 3 Aug 2016, Santiago Torres wrote: So if you want to treat Git as a cryptographic end-to-end distribution mechanism, then no, it fails horribly at that. But the state of the art in source code distribution, no matter which system you use, is much less advanced than that. People download

Re: [OT] USENIX paper on Git

On Wed, Aug 03, 2016 at 01:58:54PM -0400, Jeff King wrote: > On Wed, Aug 03, 2016 at 01:45:00PM -0400, Santiago Torres wrote: > > > > - if there is a chain of signatures, the attacker must follow the > > > chain, but they can always withhold links from the end. So imagine a > > >

Re: [OT] USENIX paper on Git

On Wed, Aug 3, 2016 at 10:22 AM, Santiago Torres wrote: > On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote: >> On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote: >> > > share things before they are published. Thankfully, this is OK in >> >> >

Re: [OT] USENIX paper on Git

On Wed, Aug 03, 2016 at 10:35:39AM -0700, Stefan Beller wrote: > On Wed, Aug 3, 2016 at 10:22 AM, Santiago Torres wrote: > > On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote: > >> On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote: > >> > >

Re: [OT] USENIX paper on Git

On Wed, Aug 03, 2016 at 01:45:00PM -0400, Santiago Torres wrote: > > - if there is a chain of signatures, the attacker must follow the > > chain, but they can always withhold links from the end. So imagine a > > repository has held a sequence of signed states (A, B, C), that B > >

Re: [OT] USENIX paper on Git

On Wed, Aug 03, 2016 at 10:35:54AM -0700, Junio C Hamano wrote: > Santiago Torres writes: > > >> Submodules actually track commits, not tags or branches. > >> > >> This is confusing for some users, e.g. the user intended to track a > >> library at version 1.1, but it tracks

Re: [OT] USENIX paper on Git

Santiago Torres writes: >> Submodules actually track commits, not tags or branches. >> >> This is confusing for some users, e.g. the user intended to track >> a library at version 1.1, but it tracks 1234abcd instead (which is what >> 1.1 points at). > > I'm assuming that git

Re: [OT] USENIX paper on Git

Hello, > Here are my comments on the work itself. They're critical, but meant in > a friendly way. :) > Thanks! If anything, the community here has been incredibly helpful in helping me understand everything. > As far as the attack goes, I'm still not convinced this is all that > _interesting_

Re: [OT] USENIX paper on Git

Jeff King writes: > Here are my comments on the work itself. They're critical, but meant in > a friendly way. :) A tl;dr version of your analysis seems to me that "you solve it the same way as the push certificate solves it (including the limitation the latter has)". If that is

Re: [OT] USENIX paper on Git

On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote: > On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote: > > > share things before they are published. Thankfully, this is OK in > >> > USENIX's book. Here's the link: > >> >

Re: [OT] USENIX paper on Git

On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote: > > share things before they are published. Thankfully, this is OK in >> > USENIX's book. Here's the link: >> > http://i2.cdn.turner.com/cnnnext/dam/assets/160730192650-14new-week-in-politics-super-169.jpg >> >> While I had

Re: [OT] USENIX paper on Git

On Wed, Aug 03, 2016 at 10:58:31AM -0400, Santiago Torres wrote: > I will be presenting a paper regarding the Git metadata issues that we > discussed at the beginning on the year on USENIX '16. I'm writing To > make everyone in this ML aware that this work exists and to bring > everyone into the

Re: [OT] USENIX paper on Git

> share things before they are published. Thankfully, this is OK in > > USENIX's book. Here's the link: > > http://i2.cdn.turner.com/cnnnext/dam/assets/160730192650-14new-week-in-politics-super-169.jpg > > While I had a good laugh, I am wondering whether this is the correct link? Oh my god,

Re: [OT] USENIX paper on Git

Hi Santiago, On Wed, 3 Aug 2016, Santiago Torres wrote: > I'm open for feedback and corrections. If anything seems odd imprecise > to the community, I can make an errata in the presentation (at least). > I'll also try to work towards making corrections anywhere if possible; > this is my first