Re: Patch attestation RFC + proof of concept

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Feb 28, 2020 at 2:58 AM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote:
> It doesn't help with the reverse scenario, where what's in the
> developer's inbox or displayed on the lore webserver running a
> backdoored nginx doesn't match the patches that they eventually apply.
> That might seem like an unrealistic attack scenario, but then think
> about it combined with the get-lore-mbox feature to grab the latest
> patchset version and other similar shenanigans. Or, maybe Eve reposts
> v1 as v20, and this mailing list thread convinces you to ignore the
> [PATCH vX] from the metadata hash, or maintainers don't care about
> that hash verifying anyway since it tends to get mangled.

Or different patches with the same subject.

Recently, I accidentally send out a patch with the wrong subject, which
matched an older patch.

" 20200218112557.5924-1-geert+renesas@xxxxxxxxx"
downloads the new thread, plus the email with the old patch with the same
one-line summary.

Worse, " -a 20200218112557.5924-1-geert+renesas@xxxxxxxxx"
selects the old patch instead of the new one, despite the exact Message-ID
match on the command line.  Fortunately "git am" complained, as the old
patch had already been applied.



Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux