On Mon, Nov 13, 2017 at 2:38 PM, HW42 <h...@ipsumj.de> wrote: > Peter Todd: >> On Mon, Nov 13, 2017 at 02:01:24PM -0500, Konstantin Ryabitsev wrote: >>>> I do agree that theres more potential for a change in git to be noticed, >>>> but I >>>> have to wonder how much that's actually true in practice? A backdoor can >>>> easily >>>> be a one character code change, and that's rather difficult to spot. >>> >>> It isn't nearly as difficult to spot when it's a part of a git commit, >>> because it will stand so much more in a diff than it would inside a 600MB >>> tarball. :) >> >> Yes, we agree one has a 0% chance of being noticed; the other has a 0% + >> epsilon >> chance. :) > > Could you explain why you think so? As discussed below the tarball is > generated (almost) deterministically so spotting a tarball which does > not match the git commit is trivial (and even possible to automate). So > why is spotting a manipulated tarball harder?
Because in practice people do not do that. Even I did not consider doing that in the context of this post. My assumption was that "if the tarball signed by the developer is somehow evil, then the developer is either compromised or themselves malicious, and in both cases we're screwed anyway so there's no point checking against git". Perhaps this is flawed reasoning, perhaps not, but it does allow for the possibility of unnoticed changes in the tarball not present in git. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_BYwjH%2BTLxV8Ubr%3D4uoyT1Fd5sWuLimT30t%2BSNg8gLWUg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
