The design document implies that the GPG signature is made on the full file as it is committed. As a developer this bothers me, because it means I'm signing other people's code, not just my own. Chewing on this nagging doubt uncovered an exploit:
The attacker, Eve, needs shell (non-cvs) access to the repository, (which can be assumed, since CVS has not been fully audited for security), as well as commit access, possibly through a compromised key. Eve commits malicious code in revision 1.18 of file foo.c, signed with Aaron's key which she has compromised. Beth, an honest developer, commits revision 1.19 of file foo.c, signed with her uncompromised key. Eve then returns to the scene of the crime, and modifies revision 1.18 to be merely an innocuous change. Later on, it is discovered that Aaron's key was compromised, and all of his commits are audited, and found to be acceptable. But the change lives on in Beth's commit. This scenario would be avoided if the actual diff being committed were signed instead of/as well as the complete file. Alex PS Is there a difference between [email protected] and [EMAIL PROTECTED] -- https://savannah.gnu.org/projects/libcvs-spec Access CVS through a library. PGP: ID: 0x23DC453B FPR: 42D0 66C2 9FF8 553A 373A B819 4C34 93BA 23DC 453B The pimp's trade must be carried out by intelligent people, is essential to any well-ordered society, and should have an official inspector. -- Don Quixote _______________________________________________ Bug-cvs mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/bug-cvs
