On Tue, Aug 3, 2010 at 11:16 AM, Matt McCutchen <m...@mattmccutchen.net> wrote: > don't want malware landing on my machine because someone did a MITM > attack on a Fedora maintainer's unencrypted "git fetch" and inserted > some extra patches to get pushed back to the real repository later.
The git protocol makes it extremely hard to inject malware successfully. It would have to match sha1, _and_ match resulting filesize _and_ be meaningful code, all without the benefits of preimaging. Even for crypto hashes that have been "broken" for a while, doing the above is a huge challenge. If you do consider this a real risk, here's someone who wants to want to play with you, and build a bunker, 5 miles underground... http://marc.info/?l=git&m=111375923219555&w=2 :-) martin (formerly, a git hacker) -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
