On Wed, 3 Aug 2016, Santiago Torres wrote:
So if you want to treat Git as a cryptographic end-to-end distribution
mechanism, then no, it fails horribly at that. But the state of the art
in source code distribution, no matter which system you use, is much
less advanced than that. People download
On Wed, Aug 03, 2016 at 01:58:54PM -0400, Jeff King wrote:
> On Wed, Aug 03, 2016 at 01:45:00PM -0400, Santiago Torres wrote:
>
> > > - if there is a chain of signatures, the attacker must follow the
> > > chain, but they can always withhold links from the end. So imagine a
> > >
On Wed, Aug 3, 2016 at 10:22 AM, Santiago Torres wrote:
> On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote:
>> On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote:
>> > > share things before they are published. Thankfully, this is OK in
>> >> >
On Wed, Aug 03, 2016 at 10:35:39AM -0700, Stefan Beller wrote:
> On Wed, Aug 3, 2016 at 10:22 AM, Santiago Torres wrote:
> > On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote:
> >> On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote:
> >> > >
On Wed, Aug 03, 2016 at 01:45:00PM -0400, Santiago Torres wrote:
> > - if there is a chain of signatures, the attacker must follow the
> > chain, but they can always withhold links from the end. So imagine a
> > repository has held a sequence of signed states (A, B, C), that B
> >
On Wed, Aug 03, 2016 at 10:35:54AM -0700, Junio C Hamano wrote:
> Santiago Torres writes:
>
> >> Submodules actually track commits, not tags or branches.
> >>
> >> This is confusing for some users, e.g. the user intended to track a
> >> library at version 1.1, but it tracks
Santiago Torres writes:
>> Submodules actually track commits, not tags or branches.
>>
>> This is confusing for some users, e.g. the user intended to track
>> a library at version 1.1, but it tracks 1234abcd instead (which is what
>> 1.1 points at).
>
> I'm assuming that git
Hello,
> Here are my comments on the work itself. They're critical, but meant in
> a friendly way. :)
>
Thanks! If anything, the community here has been incredibly helpful in
helping me understand everything.
> As far as the attack goes, I'm still not convinced this is all that
> _interesting_
Jeff King writes:
> Here are my comments on the work itself. They're critical, but meant in
> a friendly way. :)
A tl;dr version of your analysis seems to me that "you solve it the
same way as the push certificate solves it (including the limitation
the latter has)".
If that is
On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote:
> On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote:
> > > share things before they are published. Thankfully, this is OK in
> >> > USENIX's book. Here's the link:
> >> >
On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres wrote:
> > share things before they are published. Thankfully, this is OK in
>> > USENIX's book. Here's the link:
>> > http://i2.cdn.turner.com/cnnnext/dam/assets/160730192650-14new-week-in-politics-super-169.jpg
>>
>> While I had
On Wed, Aug 03, 2016 at 10:58:31AM -0400, Santiago Torres wrote:
> I will be presenting a paper regarding the Git metadata issues that we
> discussed at the beginning on the year on USENIX '16. I'm writing To
> make everyone in this ML aware that this work exists and to bring
> everyone into the
> share things before they are published. Thankfully, this is OK in
> > USENIX's book. Here's the link:
> > http://i2.cdn.turner.com/cnnnext/dam/assets/160730192650-14new-week-in-politics-super-169.jpg
>
> While I had a good laugh, I am wondering whether this is the correct link?
Oh my god,
Hi Santiago,
On Wed, 3 Aug 2016, Santiago Torres wrote:
> I'm open for feedback and corrections. If anything seems odd imprecise
> to the community, I can make an errata in the presentation (at least).
> I'll also try to work towards making corrections anywhere if possible;
> this is my first
14 matches
Mail list logo