Zack Weinberg wrote:
I used the terms "sender" and "recipient" deliberately; as Ethan says downthread, the server itself is not a trusted entity in this architecture. Or, more precisely, security decisions are intended to be made at checkout time, not at propagation time.
Ok. But as I just said to Ethan, I was thinking about one specific threat. In that page I wrote I mention other threats where the server is the bad guy (sender).
Your example about the BSDs was interesting though. I had not thought of a scenario like that, where the server is actually /supposed/ to have untrusted code (e.g. FreeBSD code which is untrusted by OpenBSD).
Make more sense now?
I think we are on the same wavelength. You gave a good example where the security check really belongs at checkout time and not at propagation time. Please keep in mind that I was thinking about one specific attack. I was not intending to speak in the abstract.
Daniel. _______________________________________________ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel