On Tue, Aug 3, 2010 at 11:16 AM, Matt McCutchen <matt(a)mattmccutchen.net> wrote:
don't want malware landing on my machine because someone did a
MITM
attack on a Fedora maintainer's unencrypted "git fetch" and inserted
some extra patches to get pushed back to the real repository later.
The git protocol makes it extremely hard to inject malware
successfully. It would have to match sha1, _and_ match resulting
filesize _and_ be meaningful code, all without the benefits of
preimaging.
Even for crypto hashes that have been "broken" for a while, doing the
above is a huge challenge.
If you do consider this a real risk, here's someone who wants to want
to play with you, and build a bunker, 5 miles underground...
http://marc.info/?l=git&m=111375923219555&w=2
:-)
martin (formerly, a git hacker)
--
martin.langhoff(a)gmail.com
martin(a)laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
-
http://wiki.laptop.org/go/User:Martinlanghoff