Derek Price wrote:
Jim Hyslop wrote:
Either way, if the server is compromised, the local file ends up
containing the exploit.
Yes, but if I ignore keyword expansion entirely (other than giving a
warning or error when keywords are present in the file at commit time),
then you won't have a CVS executable that tells you you have a valid,
signed, base revision just before it installs compromised code in your
sandbox.
I'm working up a discussion paper, which outlines various attacks and
compares how the two approaches can detect them. In order to do this
properly, I need to know exactly how you propose to ignore RCS keywords
(it's glossed over in the discussion document on the wiki).
Suppose I have rev 1.2 of a file checked out, and it contains:
#include <stdio.h>
int main( int argc, char ** argv )
{
printf("Hello, revision $Revision: 1.2$\n");
return 0;
}
will this be signed as if I am checking in the un-expanded keyword, i.e.
as if the file contains:
#include <stdio.h>
int main( int argc, char ** argv )
{
printf("Hello, revision $Revision$\n");
return 0;
}
--
Jim
_______________________________________________
Bug-cvs mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/bug-cvs
