I'm trying to follow along here, and have a few abstract questions. If an attacker takes control over a repository, then that repository is compromised, and would need to be restored from a non-compromised back up. By compromised we mean someone deleted it, defaced it, or worse tries to hide malicious code in it. The issue is then being able to notice / discover that a given fossil project has been compromised by an unauthorized user trying to hide malicious code in something? (this is a question)
The only way to ever know such a thing (from a technology point of view), would be: -to either compare the entire project.fossil file with a known good copy for changes (totally unrealistic since the project would almost always be newer than a backup file. plus how do you know one is "good" to archive as a "known good copy") -Algorithmically verify that changes are signed by trusted users on push/pull operations. (this is also a question) So from the "ideal scm features" point of view, what is suppose to happen? Just verify that diffs and/or complete project versions are signed by a user? As in a property of a user being a public key? Or as in some sort of hook script check this externally before allowing a sync? If a signing key is later found to be compromised, then changes made with that signature need to be flagged for inspection? www.thomasstover.com _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
