please check out weave-format branch
Martin Pool
martinpool at gmail.com
Fri Sep 23 07:41:55 BST 2005
On 23/09/05, John Arbash Meinel <john at arbash-meinel.com> wrote:
> 3) You removed "parent_sha1" from the revision XML. So now we reference
> a parent only by it's revision id, rather than both id and sha1 hash. I
> realize that it makes upgrading easier (since you no longer have a hash
> which is invalidated), but it raises potential security concerns. These
> may not be major, but you can fake the ancestry if you remove the sha1.
Yes, I've thought the same things. Having it there does feel like it
gives some protection, but it's hard to say against exactly what.
The difficulty comes not just when you upgrade your own branch, but
also if I've upgraded and then you pull from me -- all of those
revisions you pull in will have the wrong hashes.
If we want to support references to revisions whose value is not known
(which some people call "ghost" revisions) then this gets even more
difficult. Of course we don't know the sha of the ghost revision, and
if we did find it out we'd have to redo everything from that point
forward.
> If a hacker can get his version of your parent injected into the system,
> then he can change the ancestry. At first, this just seems that it
> would mess up the merge command, since it can't find an appropriate
> merge base. But also if you ever just try to do "merge just the changes
> for this revision against its parent" (cherry picking, which bzr may or
> may not ever support), then the hacker has quite a bit of freedom about
> what sort of diff would be created. There isn't a lot of freedom, and I
> don't know what kind of dangerous stuff could be done, but it seems like
> a potential leak.
I think the goal would be to prevent it getting in in the first place
by checking a signature on that revision.
> I kind of liked the fact that for a given revision, all of the ancestry
> up to that point was contained in its hash. Because it had a hash of its
> parents, who have a hash of their parents, all the way back to the Null
> revision.
It is an elegant property.
--
Martin
More information about the bazaar
mailing list