An interesting point from a friend on IRC: [21:36] <danderson> well, first of all, you know that in Subversion revision numbers are repository-global [21:36] <danderson> so any commit bumps the whole repository rev by 1 [21:37] <danderson> so even if somehow one mail doesn't go out [21:37] <danderson> the next mail to get out will have a rev that is +2 compared to the last mail [21:37] <danderson> instead of +1 [21:37] <danderson> so you'd detect holes quite fast that way [21:38] <danderson> furthermore, you can query the repository for the last revision it has [21:38] <toad_> okay, and slipping one in would be quite difficult... [21:38] <danderson> toad_: try impossible. [21:38] <danderson> a missing revnum is just about the biggest integrity failure in the repository [21:38] <toad_> danderson: why impossible? [21:38] <toad_> well yeah but can't he coalesce his change with somebody else's? [21:39] <danderson> well, that's not insertion, that's alteration [21:39] <toad_> ... while that's possible, it would be very obvious to somebody checking the changelog [21:39] <toad_> cool [21:39] <danderson> and he *could*, but he'd need to insert a svndiff stream that is both compatible with previous diff streams, AND doesn't break the diff streams of followup commits [21:40] <toad_> i'll send an email out with part of this conversation, suggesting that somebody write such a tool [21:40] <danderson> I'm certainly not intimate with the svndiff system, but I'd wager it'd be difficult
On Sat, Oct 08, 2005 at 09:36:14PM +0100, Matthew Toseland wrote: > If somebody compromizes the Subversion (or CVS) repository, they can > potentially do commits without them going to the commit list, and > therefore introduce evil code. Hopefully this will be picked up, but > Freenet is quite large. If you want a non-java task to increase > freenet's security, I suggest a script that can cross-reference the CVS > list emails with the actual log from SVN/CVS, and flags up any > discrepancies. If such a thing already exists, I'd be very interested; > if it does not, some perl hacker who can't be bothered to learn java > could write it. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
_______________________________________________ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
