On Tue, 2010-08-03 at 11:29 -0400, Martin Langhoff wrote: > On Tue, Aug 3, 2010 at 11:16 AM, Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> wrote: > > don't want malware landing on my machine because someone did a MITM > > attack on a Fedora maintainer's unencrypted "git fetch" and inserted > > some extra patches to get pushed back to the real repository later. > > The git protocol makes it extremely hard to inject malware > successfully. It would have to match sha1, _and_ match resulting > filesize _and_ be meaningful code, all without the benefits of > preimaging. > > Even for crypto hashes that have been "broken" for a while, doing the > above is a huge challenge. > > If you do consider this a real risk, here's someone who wants to want > to play with you, and build a bunker, 5 miles underground... > http://marc.info/?l=git&m=111375923219555&w=2 I have to say I was tickled by Linus' imagination of how five year olds behave: "That's not engineering. That's five-year-olds discussing building their imaginary forts ("I want gun-turrets and a mechanical horse one mile high, and my command center is 5 miles under-ground and totally encased in 5 meters of lead")." Clearly Linus stood out even in his youth =) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
