On Fri, Jun 8, 2012 at 7:01 AM, W. Trevor King <wk...@tremily.us> wrote: > When the breach is discovered, you can then isolate the dev (or devs) > who implicitly signed the hack (2) by pulling the ToT without checking > for a valid signature (3). Then you yell at them for sloppy security, > and tell them to install your signature-checking post-receive hook.
Well, if devs are supposed to do this, we should probably write this down as a policy somewhere. Probably wouldn't hurt if the post-receive hook actually existed, and it was designed to only work on the official tree otherwise everybody will just uninstall it since people don't just pull from the official tree. I doubt any dev checks the signatures on manifest files before they overwrite them with a new signature. If they did it wouldn't matter since those signatures aren't even mandatory anyway. Certainly it isn't intuitive to me that when I perform a signature on changes I make that I'm also vouching for work committed by somebody else before me. Process can be as effective as technology in achieving security, but only if those processes are clear, and unintrusive enough to ensure they are followed. I wouldn't count on being able to yell at developers - first it does nothing to solve the mess that you'd be in at that point, and second you can only yell at volunteers so much. Rich
