On 10/29/15, Warren Young <[email protected]> wrote: > > I’ll bet there are a whole lot of people who would love to get some evil > code into pretty much every smartphone in the world by hacking the SQLite > code repo. > > That’s a powerful motivation. Don’t underestimate it.
That might be difficult. (1) More is involved that just breaking the SHA1 artifact hashes. Each check-in manifest also has a hash over all content of all files in the R card. It's an MD5 hash, but that still means the attacker would have to find replacement source code that (a) matched both SHA1 and MD5 hashes and (b) was valid C code. Good luck with that. (2) And even if an attacker were able to do this, it wouldn't likely go undetected. Remember that SQLite uses 100% branch testing. Any malicious code would also have to preserve all current functionality and also preserve 100% branch coverage to escape detection. (3) We also do 100% inspection of all code changes between each release using "fossil diff --from release --to trunk --tk". You don't think we would see unauthorized code? I think if the bad guys wanted to break into phones, they'd probably go after the Linux kernel first, which has far less testing and is far more loosey-goosey about configuration management and which uses Git - also with SHA1 but without the extra MD5 R-card hash. -- D. Richard Hipp [email protected] _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
