Nathaniel Smith wrote:
No, it simply wipes out the revision and its certs, as if they never
existed. (Except that as you note, it does leave some of the
associated data behind in the database, but there's no way to get at
this data except by poking around in the db by hand.)
This isn't really a security issue, though, because it only affects
the database that it's run on.
Yes it is, because it easily allows a DOS attack from a malicious
developer or someone with a developer's credentials and there is no way
to identify the attacker. Second, the fact that you can recover from a
disaster does not mean that the attack did not succeed. There are three
aspects to security against an attack:
1) Prevention.
2) Detection.
3) Recovery.
Against this particular attack, Monotone only has recovery. Monotone has
a great recovery system, but something in the way of prevention or
detection would be a worthy improvement. For example:
1) Prevention: Remove or somehow restrict the "db kill_rev_locally"
command and the "db execute" command.
2) Detection: Record who runs "db kill_rev_locally" (recording "db
execute" is kind of pointless).
Daniel.
_______________________________________________
Monotone-devel mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/monotone-devel
