Re: Re: Merge with git-pasky II.

[Ingo Molnar]

* Linus Torvalds [EMAIL PROTECTED] wrote:

 On Sun, 17 Apr 2005, Ingo Molnar wrote:
  
  in fact, this attack cannot even be proven to be malicious, purely via 
  the email from Malice: it could be incredible bad luck that caused that 
  good-looking patch to be mistakenly matching a dangerous object.
 
 I really hate theoretical discussions.

i was only replying to your earlier point:

   Almost all attacks on sha1 will depend on _replacing_ a file with 
   a bogus new one. So guys, instead of using sha256 or going 
   overboard, just make sure that when you synchronize, you NEVER 
   import a file you already have.

which point i still believe is subtly wrong. You were suggesting to 
concentrate on file replacement to counter most of the practical 
attacks, while i pointed out an attack _using the same basic mechanism 
that your point above supposed_.

[ if you can replace a file with a known hash, with a bogus new one, and 
  you still have enough control over the contents of your bogus new file 
  that it is 1) a valid file that builds 2) compromises the kernel, then 
  you likely have the same amount of control my 'theoretical' attack
  requires. ]

 And the thing is, _if_ somebody finds a way to make sha1 act as just a 
 complex parity bit, and comes up with generating a clashing object 
 that actually makes sense, then going to sha256 is likely pointless 
 too [...]

yes, that's why i suggested to not actually trust the hash to be 
cryptographically secure, but to just assume it's a good generic hash we 
can design a DB around, and to turn -DCOLLISION_CHECK on and enforce 
consistency rules on boundaries.

[ it's not bad to keep sha1 because even my suggested enhancement still
  leaves 'content-less trust-pointers to untrusted content via email'
  vectors open against attack (maintainer sends you an email that commit
  X in Malice's repository Y is fine to pull, and you pull it blindly,
  while the attacker has replaced his content with the compromised one
  meanwhile), but it at least validates the bulk traffic that goes into
  the DB: patches via emails and trusted repositories. ]

so all i was suggesting was to extend your suggested 'overwrite 
collision check' to a stricter 'content we throw away and use the sha1 
shortcut for needs to be checked against the in-DB content as well'.

in other words, your suggested 'rename check' is checking for 'positive 
duplicate content', while my addition would also check for 'negative 
duplicate content' as well.

but as usual, i could be wrong, so dont take this too serious :-)

Ingo
-
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Re: Merge with git-pasky II.

[Ingo Molnar]

* Ingo Molnar [EMAIL PROTECTED] wrote:

 The compromise relies on you having reviewed something harmless, while 
 in reality what happened within the DB was far less harmless. And the 
 DB remains self-consistent: neither fsck, nor others importing your 
 tree will be able to detect the compromise. This attack can only be 
 detected when you apply the patch, after that point all the 
 information (except Malice's message in your inbox) is gone.

in fact, this attack cannot even be proven to be malicious, purely via 
the email from Malice: it could be incredible bad luck that caused that 
good-looking patch to be mistakenly matching a dangerous object.

In fact this could happen even today, _accidentally_. (but i'm willing 
to bet that hell will be freezing over first, and i'll have some really 
good odds ;) There's probably a much higher likelyhood of Linus' tree 
getting corrupted in some old fashioned way and introducing a security 
hole by accident)

Ingo
-
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Re: Merge with git-pasky II.

[Simon Fowler]

On Sat, Apr 16, 2005 at 06:03:33PM +0200, Petr Baudis wrote:
 Dear diary, on Sat, Apr 16, 2005 at 05:55:37PM CEST, I got a letter
 where Simon Fowler [EMAIL PROTECTED] told me that...
  On Sat, Apr 16, 2005 at 05:19:24AM -0700, David Lang wrote:
   Simon
   
   given that you have multiple machines creating files, how do you deal 
   with 
   the idea of the same 'unique id' being assigned to different files by 
   different machines?
   
  The id is a sha1 hash of the current time and the full path of the
  file being added - the chances of that being replicated without
  malicious intent is extremely small. There are other things that
  could be used, like the hostname, username of the person running the
  program, etc, but I don't really see them being necessary.
 
 Why not just use UUID?
 
Hey, everything else in git seems to use sha1, so I just copied
Linus' sha1 code ;-)

All I wanted was something that had a good chance of being unique
across any potential set of distributed repositories, to avoid the
chance of accidental clashes. A sha1 hash of something that's not
likely to be replicated is a simple way to do that.

Simon

-- 
PGP public key Id 0x144A991C, or http://himi.org/stuff/himi.asc
(crappy) Homepage: http://himi.org
doe #237 (see http://www.lemuria.org/DeCSS) 
My DeCSS mirror: ftp://himi.org/pub/mirrors/css/ 


signature.asc
Description: Digital signature

Re: Re: Re: Merge with git-pasky II.

[Petr Baudis]

Dear diary, on Thu, Apr 14, 2005 at 10:23:26PM CEST, I got a letter
where Erik van Konijnenburg [EMAIL PROTECTED] told me that...
 On Thu, Apr 14, 2005 at 09:35:07PM +0200, Petr Baudis wrote:
  Hmm. I actually don't like this naming. I think it's not too consistent,
  is irregular, therefore parsing it would be ugly. What I propose:
  
  12c\tname - legend
- original file
  D - tree #1 removed file
   D- tree #2 removed file
  DD- both trees removed file
  M - tree #1 modified file
   M
  DM*   - conflict, tree #1 removed file, tree #2 modified file
  MD*
  MM- exact same modification
  MM*   - different modifications, merging
  
  This is generic, theoretically scales well even to more trees, is easy
  to parse trivially, still is human readable (actually the asterisk in
  the 'conflict' column is there basically only for the humans), is
  completely regular and consistent.
 
 Detail: perhaps use underscore instead of space, to avoid space/tab typos
 that are invisible on paper and user friendly mail clients?

I'd go for dots in that case. Looks less intrusive. :^)

-- 
Petr Pasky Baudis
Stuff: http://pasky.or.cz/
C++: an octopus made by nailing extra legs onto a dog. -- Steve Taylor
-
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Re: Merge with git-pasky II.

[Christopher Li]

Is that some thing you want to see? Maybe clean up the error printing.


Chris

--- /dev/null   2003-01-30 05:24:37.0 -0500
+++ merge.py2005-04-14 16:34:39.0 -0400
@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+
+import re
+import sys
+import os
+from pprint import pprint
+
+def get_tree(commit):
+data = os.popen(cat-file commit %s%commit).read()
+return re.findall(r(?m)^tree (\w+), data)[0]
+
+PREFIX = 0
+PATH = -1
+SHA = -2
+ORIGSHA = -3
+
+def get_difftree(old, new):
+lines = os.popen(diff-tree %s %s%(old, new)).read().split(\x00)
+patterns = (r(\*)(\d+)-(\d+)\s(\w+)\s(\w+)-(\w+)\s(.*),
+   r([+-])(\d+)\s(\w+)\s(\w+)\s(.*))
+res = {}
+for l in lines:
+   if not l: continue
+   for p in patterns:
+   m = re.findall(p, l)
+   if m:
+   m = m[0]
+   res[m[-1]] = m
+   break
+   else:
+   raise difftree: unknow line, l
+return res
+
+def analyze(diff1, diff2):
+diff1only = [ diff1[k] for k in diff1 if k not in diff2 ]
+diff2only = [ diff2[k] for k in diff2 if k not in diff1 ]
+both = [ (diff1[k],diff2[k]) for k in diff2 if k in diff1 ]
+
+action(diff1only)
+action(diff2only)
+action_two(both)
+
+def action(diffs):
+for act in diffs:
+   if act[PREFIX] == *:
+   print modify, act[PATH], act[SHA]
+   elif act[PREFIX] == '-':
+   print remove, act[PATH], act[SHA]
+   elif act[PREFIX] == '+':
+   print add, act[PATH], act[SHA]
+   else:
+   raise unknow action
+
+def action_two(diffs):
+for act1, act2 in diffs:
+   if len(act1) == len(act2):  # same kind type
+   if act1[PREFIX] == act2[PREFIX]:
+   if act1[SHA] == act2[SHA] or act1[PREFIX] == '-': 
+   return action(act1)
+   if act1[PREFIX]=='*':
+   print do_merge, act1[PATH], act1[ORIGSHA], act1[SHA], 
act2[SHA]
+   return
+   print unable to handle, act[PATH]
+   print one side wants, act1[PREFIX]
+   print the other side wants, act2[PREFIX]
+   
+
+args = sys.argv[1:]
+if len(args)!=3:
+print Usage merge.py common rev1 rev2
+trees = map(get_tree, args)
+print checkout-tree, trees[0]
+diff1 = get_difftree(trees[0], trees[1])
+diff2 = get_difftree(trees[0], trees[2])
+analyze(diff1, diff2)
+
-
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html