Re: [Tails-dev] git (submodule) security

Nachricht löschen

Nachricht beantworten
Autor: boyska
Datum:  
To: The Tails public development discussion list
CC: freepto@autistici.org >> Everything about freepto, Whonix-devel
Betreff: Re: [Tails-dev] git (submodule) security
On Sat, Nov 01, 2014 at 08:07:04AM +0000, Patrick Schleizer wrote:
>By chance I found https://github.com/boyska/git-verify repo.


hey, that's me :P as you can see, it's a very simple script. I'm not
completely sure that it works exactly as I expect, and I am not even
sure that what I expect for "verification" is what everyone would.

I'd like to do some unit tests about the code, but it is quite
hard/boring to do that. Any contribution about better code, better
testing, etc will be really appreciated. Actually, I was very surprised
to not being able to find some script similar to what I wrote.

>At Whonix we're currently discussing various aspects of git security.
>Especially since git still uses SHA-1 and if git (submodule)
>verification is safe against adversaries, that can produce SHA-1 collisions.


Seems a really good point, but... can't you just recursively run git-verify?

>I was wondering, if you might be interested to join the discussion? [1]


I am really interested, thanks for sharing!

--
boyska