On Tue, Aug 3, 2010 at 11:16 AM, Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> wrote: > don't want malware landing on my machine because someone did a MITM > attack on a Fedora maintainer's unencrypted "git fetch" and inserted > some extra patches to get pushed back to the real repository later. The git protocol makes it extremely hard to inject malware successfully. It would have to match sha1, _and_ match resulting filesize _and_ be meaningful code, all without the benefits of preimaging. Even for crypto hashes that have been "broken" for a while, doing the above is a huge challenge. If you do consider this a real risk, here's someone who wants to want to play with you, and build a bunker, 5 miles underground... http://marc.info/?l=git&m=111375923219555&w=2 :-) martin (formerly, a git hacker) -- martin.langhoff@xxxxxxxxx martin@xxxxxxxxxx -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
