From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 876B313838B for ; Wed, 17 Sep 2014 19:59:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 19F4CE09BD; Wed, 17 Sep 2014 19:58:57 +0000 (UTC) Received: from moh2-ve3.go2.pl (moh2-ve3.go2.pl [193.17.41.208]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 24CCBE096C for ; Wed, 17 Sep 2014 19:58:55 +0000 (UTC) Received: from moh2-ve3.go2.pl (unknown [10.0.0.208]) by moh2-ve3.go2.pl (Postfix) with ESMTP id 329C9958023 for ; Wed, 17 Sep 2014 21:58:54 +0200 (CEST) Received: from unknown (unknown [10.0.0.74]) by moh2-ve3.go2.pl (Postfix) with SMTP for ; Wed, 17 Sep 2014 21:58:54 +0200 (CEST) Received: from 87-207-78-26.dynamic.chello.pl [87.207.78.26] by prokonto.pl with ESMTP id hdAKhn; Wed, 17 Sep 2014 21:58:53 +0200 Received: by teh mailsystemz id C680415A5E; Wed, 17 Sep 2014 21:58:51 +0200 (CEST) Date: Wed, 17 Sep 2014 21:58:51 +0200 From: Piotr Szymaniak To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] git security (SHA-1) Message-ID: <20140917195851.GL1945@wloczykij> References: <5416D54C.8020706@gentoo.org> <54183EC9.4060303@gentoo.org> <54184992.1070502@gentoo.org> <54184BE4.6040304@gentoo.org> <20140917110408.GA2113@gengoff.gsmr1.local> <20140917120831.042769e1@googlemail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8kI7hWEHMS8Z+7/0" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-O2-Trust: 2, 65 X-O2-SPF: notchecked X-Archives-Salt: a8dc41f7-aa04-4704-8383-24569b3ab89e X-Archives-Hash: 84cf6a9091883691497266debbde8f98 --8kI7hWEHMS8Z+7/0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 17, 2014 at 07:21:08AM -0400, Tim Boudreau wrote: > If someone wants to commit malicious code into Gentoo, they're far more > likely to take the ugly but pragmatic approach of, say, forcing someone to > commit malicious code at gunpoint and then shooting them, than to go to t= he > vast effort it would take to come up with malicious code that conveniently > has the same SHA-1 hash as an existing commit. But... what's the point? Upload ugly backdoor to all Gentoo users? (like there're 0,01% of computer users out there?) It would be easier to just gunpoint "the interesting user" or torture him for keys/passwords/whatever in some creepy basement. This looks like someone has a really bad fantasy about Gentoo ruling the world where every bad guy/terrorist/younameit uses this super-secured-gpged-git-portage (and looking at "Snowden files" all this is already exploited ;). Piotr Szymaniak. --=20 =2E.. wyobrazenie, ze ludzkosc zmierza ku jakiemus naprawde milemu przeznaczeniu, jest bajka dla dzieci ponizej szostego roku zycia, jak Dobra Wr=C3=B3zka, Zajaczek Wielkanocny i Sw. Mikolaj. -- Kurt Vonnegut, "Hokus Pokus" --8kI7hWEHMS8Z+7/0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUGef7AAoJEEMpAov1cw9lPR4P/03jlhVDarSf6OULRD2huG8b oDpspJBNkERt+fbsCv8Oo/5ZesqaO093qW0ZOfRm2vMkX2aiA0hnJMeUdfhGxIS/ UBo3pwWWa1fKARXlBVHN7Ya+/MDLVCA8/3QQRaIN4V0zDt0Ohkw7aVpZfXedyD/R D3D8xFeIvuWEvyHXKIQ4OGtGazAH5bzkZZU2j7buSyJRtjGG7hFMSwYrdewf9bBr TRN+vuZeEmZjImkp61WSb5Yr/6B3tuQC4qs3YgbMqQC9tPcVTCkyY3SVzIhgzqGf 2xECttPcvPXqXzULSrisc+ozQZs4I2D5SDyADOt8Dwqbo+XnMeZ29BUT6pDirrX9 GUV7SLyYVQ9EQWle/Fq6lukumacI6tqqGScoUXyTKoyaIFn0WRpdgr92YWYBnx0R 09TAi/H+WIQy7YhEbl4WQo081+uqYdoPI8cPGJId3u4bN1I2/WAhWcByTDnvdgyh C45+1gKECW1ZTfXw1v+lKv1gKQjOklrmgKddeqInfMUOzJnrcxpD3HrnjkBmKlnK RYORHD9SROV1FL6J5mf2qXNFb5cg7dOW7rQsCSJdfMLtmTN51S20BzkLE2/ADrZC ni4PqwXT3ZfDovccgzlmLVRGpvzPooiudqkuptJAp1VODHIVLZqWr7PPE8P29KbH IIlojULXsKSl4LIhpW/Q =m8JA -----END PGP SIGNATURE----- --8kI7hWEHMS8Z+7/0--