The short answer is "tweak[ing] dates on commits" would change the commit id which would break any other existing trees dependant on that commit and someone would notice. Really that simple.
-- Douglas Huff On Sep 2, 2011 9:19 PM, "Jeffrey Walton" <[email protected]> wrote: > Am I the only guy who finds the kernel integrity assurances suspect [1]: > > However, it's also useful to note that the potential damage of cracking > kernel.org is far less than typical software repositories. That's because > kernel development takes place using the git distributed revision control > system, designed by Linus Torvalds. For each of the nearly 40,000 files > in the Linux kernel, a cryptographically secure SHA-1 hash is calculated > to uniquely define the exact contents of that file. > > I did see the claims that git had security related design goals > (wikipedia). Unfortunately, the wikipedia reference points to a > Torvalds talk at Google where he claims "security is distributed. and > I trust 5, 10, 0r 15 developers [sic]" [2] (among his other ramblings > and bashings). So its not clear to me how Torvalds trust a few people, > therefore integrity is assured. And naively, I would also expect that > the ability to do things like "tweak dates on commits" would help hide > malicious behavior [3]. > > Could anyone explain git's security assurances to a non-git layman? > > [1] http://kernel.org/ > [2] http://www.youtube.com/watch?v=4XpnKHJAok8, 27:43 > [3] https://git.wiki.kernel.org/index.php/GitFaq#How_can_I_tweak_the_date_of_a_commit_in_the_repo.3F > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
