Jim Hyslop wrote: > Either way, if the server is compromised, the local file ends up > containing the exploit.
Yes, but if I ignore keyword expansion entirely (other than giving a warning or error when keywords are present in the file at commit time), then you won't have a CVS executable that tells you you have a valid, signed, base revision just before it installs compromised code in your sandbox. If you do have keywords in your file, checking out -ko would still allow revisions to be verified in this way. > However, there is a difference: if CVS/Base contains the expanded > keywords, then there is absolutely no way for me to validate the > signature on my local copy of the file. If, on the other hand, > CVS/Base contains the exact file as checked in by the user, I can > validate the signature, and examine the keyword patch file to look for > any irregularities. It's not a perfect solution, since I have to > examine the keyword file manually, but it gets part way there. You could do the same by parsing the output of `cvs status' or `cvs log' and performing the substitutions with a sed script, perhaps as part of your software build. Perhaps this would be a good script for contrib if no one implements secure keyword substitution after I am done with the GPG-signed commits code. Regards, Derek -- Derek R. Price CVS Solutions Architect Ximbiot <http://ximbiot.com> v: +1 717.579.6168 f: +1 717.234.3125 <mailto:[EMAIL PROTECTED]> _______________________________________________ Bug-cvs mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/bug-cvs
