Hello,
I can't believe that a so called community manager (Warren) could say theses
... :D
I assume that most of you have read Warren Stuff ?
1/ Hey Warren, you know nothing about security software so don't speak about
it. :-|
2/ CentOS does not need any advice from you : they know their stuff.a) SHA
algorithm is not an issue when it is more a test for integrity such as MD5 for
files than anything else.b) You are like a kid who focuses on ONE thing when
people like me are focusing in MANY things even when it comes to ONE subject.c)
CentOS uses many tools to know who is sending what.You could force people to
follow some procedures to be allowed to put a precise info into a specific
server :
Say, you can ask the guy to use SSH first to connect, and only after he could
work : no GPG, nothing else needed...I don't even talk about port knocking...
So they can rely on ONLY SHA1 if they want that, this is not an issue at all !
So YOUR sentence "it’ll be a problem if git.centos.org is still relying on SHA1
hashes" IS NOT RELEVANT.
3/>"Point #2 is also questionable. Torvalds is assuming that any collision
attack on a Git"
Really ? As I understand Fossil points (security etc) are not seriously
questionable [for you] ... but Linus point is ? Are you kidding ?
MY assumption is that Linus would like that a guy such as a Fossil Team guy,
could understand that it is NOT that hard to make some changes with the SHA
algorithm...
In another word :
4/ When you say that plans are easy but execution is hard ... You miss the
point.a) Plans are necessary for serious project.b) Plans done, execution is
not that hard : it may take time but it is not that hard.c) Appropriate tools
are needed to achieve plans in time and expectations...
Serious project = Plans ! OK ?
If for you SHA1 is not a serious project, then I would like you to explain it
to us... :D
5/ All this said :I've noticed that there are too much details in Linus Torvald
discuss. I suppose that he was thinking about guys like you Warren ?You know
the guy that don't get it. :-)
Regards
K.
De : Warren Young <[email protected]>
À : Fossil SCM user's discussion <[email protected]>
Envoyé le : Lundi 27 février 2017 18h10
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Feb 26, 2017, at 2:58 PM, Stephan Beal <[email protected]> wrote:
>
> just FYI, Linus' own words on the topic, posted yesterday:
>
> https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL
Point #1 misses the fact that people *do* rely on Git hashes for security.
Maybe they’re not “supposed” to, but they do.
For example, the CentOS sources are published through Git these days, rather
than as a pile of potentially-signed SRPM files. This means the only assurance
you have that the content checked into Git hasn’t been tampered with is that
the hashes are consistent.
(I randomly inspected one of their repos, and it doesn’t use GPG signed
commits, so the hashes are all you’ve got.)
This is adequate security today, but once bad actors can do these SHA1 attacks
inexpensively, it’ll be a problem if git.centos.org is still relying on SHA1
hashes.
Point #2 is also questionable. Torvalds is assuming that any collision attack
on a Git checkin will be detectable because of the random noise you have to
insert into both instances to make them match.
Except that you don’t have to do it with random noise.
Thought experiment time: Given that it is now mature technology to be able to
react to a useful subset of the spoken English language either over a crappy
cell phone connection or via shouting at a microphone in a canister in the next
room, complete with query chaining (e.g. Google Now, Amazon Echo, etc.) how
much more difficult is it to write an “AI” that can automatically generate
sane-looking but harmless C code in the middle of a pile of other C code to
fuzz its data bits?
I have no training in AI type stuff, but I think I could do a pretty decent job
just by feeding a large subset of GitHub into a Markov chain model. Now
imagine what someone with training, motivation, and resources could do.
Or, don't imagine. Just go read the Microsoft Research paper on DeepCoder:
https://news.ycombinator.com/item?id=13720580
I suspect there are parts of the Linux kernel sources that are
indistinguishable from the output of a Markov chain model. :) *Someone*
allowed those patches to be checked in.
As for his point #3, he just offers it without support. He says there’s a
plan. Well, we have a plan, too. Plans are easy. Execution is the hard part.
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users