|
From: | Konstantin Kliakhandler |
Subject: | Re: [O] Why no secure code retrieval |
Date: | Mon, 4 Jul 2016 01:36:59 +0300 |
The SHA1's are reference elements used throughout git, and are primarily for integrity protection against accidents, not against attackers. Hence it's sufficient that
they be maintained by the git processes.
The plain vanilla git process does not include distribution of SHA1
values by an independent path, so it's not easy to verify against a
trusted source for the correct values.
> Getting the same data via https doesn't give you that sort of guarantee
> either, it only ensures that the data cannot be read and altered in
> transport. If the server or repo gets compromised, then it is game over
> until someone notices that the server suddenly doesn't match up the local clone.
This would be a reasonable step for org-mode releases. The release
process only involves a few people, and key management would not be too
hard. It doesn't solve the problem for non-git distribution methods.
My guess is that the ELPA users are the most exposed. Fixing that
really belongs to ELPA, but if I were putting together the cyber
security plan for org-mode I would call out this gap and make clear that
it is a gap that can't be easily solved by org-mode. (Maybe tweaking
someone more familier with ELPA to tell me how to solve it for ELPA.)
[Prev in Thread] | Current Thread | [Next in Thread] |