On Sun, 26 Feb 2017 12:00:50 +0100 Miroslav Rovis wrote: > But, when we talk crypto being broken,
Git is not in the immediate threat due to SHA1 collision being practical. See Linux blog about this: https://plus.google.com/+LinusTorvalds/posts/7tp2gYWQugL Note that git devs are working on moving to a more secure hash function. Also note that git can handle several files in the repo with the same hash function. While this doesn't protect from the possible repo forgery, it protects from accidental file collision where subversion fails badly: https://www.bleepingcomputer.com/news/security/sha1-collision-attack-makes-its-first-victim-subversion-repositories/ I do not want to offence subversion devs, but they haven't even considered the possibility that hash function may collide. Huge blunder on their side. > I can help thinking of other > threats to Gentoo and other FOSS GNU Linux that I fear are perfectly > feasible (for the resourceful subjects) > > Gentoo distro is increasingly served the insecure way, IMO, that is: via > git, without the repositories being, for end users, PGP-verifiable. It is verifiable for end users, but not in an easy way. You can either use web rsync or verify git commits yourself using gpupg and gkeys. > And via a new private big business, the Github. Giving over all users to > big Github brother. ??? Github is entirely optional and is only for those who want to use it (we have both users and devs willing so), but in no way anyone demands its usage. If you want to have sync-friendly git repo, Gentoo infra provides one for you: https://gitweb.gentoo.org/repo/sync/gentoo.git/ > And, in the trasition all the history got lost. Git started remembering > only from 2015. No, it isn't. Full historical git repo is available: https://gitweb.gentoo.org/repo/gentoo/historical.git/ One may use git graft to join historical and actual repo together. > I have asked a question about getting git-served repository verifiable > for end users, but I didn't get any replies: Do not forget that all devs are volunteers. User-transparent GnuPG tree verification is indeed important. You can help! Join gkeys project, get in touch with infra, discuss what needs to be done. Don't just rattle about how insecure data is provided, help to make it secure! (And as I shown above actual state is not that bad and some options are already available.) Best regards, Andrew Savchenko
pgp2DzXAJ_N32.pgp
Description: PGP signature