Steffen Nurpmeso wrote this message on Tue, Dec 29, 2020 at 22:04 +0100: > |SolarWinds supply chain attack, being able to smuggle a modified file > |into a git repo, say an OS's build server, such that the tools don't > |know the tree is modified is a real problem... > > SHA-256 arrives, if you look at the git history. Until then > signing a git tag even with SHA-1 is better than being unsealed. Actually, no it is not. It provides a false sense a security. SHA-1 should only be used as a checksum (detecting non-malicous corruption) now. There's a reason I stopped signing (and even removed the historical signatures) of the magnet links that I produce for FreeBSD. This is also why I expanded the snapaid tool to support releases, to make it extermely easy to verify signatures: https://www.funkthat.com/gitea/jmg/snapaid > This attack, well, interesting that FreeBSD with so many > developers with ssh push hasn't been soiled more often. I am And that is why it isn't a major problem yet, in that there are additional layers of security, both ssh and https that help ensure integrity of the repo in transit... > cautious regarding such, there is a tremendous amount of > propaganda against Russia and China going on .. and then who > tapped the cables, who has the budget, hmm. I have read one US > national security alert report once, and all i could see was I am well aware of this, and infact, the reason I've been pushing for better security like this IS because of the actions of the NSA... I used to get lunch on a weekly basis across the street from one of the early revealed NSA wiretap rooms. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Tue Dec 29 2020 - 23:46:24 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC