[MERGE] [0.90] Disable patch verification (broken for CRLF files)
John Arbash Meinel
john at arbash-meinel.com
Mon Aug 13 18:47:06 BST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Westby wrote:
> On (13/08/07 11:45), John Arbash Meinel wrote:
>> The chance of exploiting the change is pretty minimal, will only be
>> exposed for about 1 month, and is a lot less disruptive than preventing
>> bundles completely.
>>
>
> I'm uneasy about opening up a known hole, but yes the alternative is
> worse in this case.
>
> There is another option however, that a fix is implemented that does not
> open the hole. I assume that is too costly for this stage in the
> release, if so then we should go for the least bad option.
>
> Thanks,
>
> James
>
I'm just going by what Aaron said:
"The fix appeared simple, but I've run into problems testing it, so I
think the safest things it to disable it for now. I'll get a fix in
before 0.91."
I'm not sure why you couldn't just have something like:
tree1 = self.make_branch_and_tree('tree1')
self.build_tree_contents([('tree1/a', 'text\nfor\na\n'),
('tree1/b', 'text\r\nfor\r\nb\r\n')])
tree1.add(['a', 'b'])
rev_id = tree.commit('message')
# create a bundle for rev_id versus None
# verify that you can install the given bundle
There are other edge cases, like updating a and b so that they have real
differences.
Further, you could do things like take the bundle text, and change all
line endings, etc. So that you know it is safe even if the email/etc
munges things.
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwJkaJdeBCYSNAAMRAgkuAKCLVi5N7aXzLnkTuiKoQ7sBtW215QCfRUSc
TfxKolWaeWTaYZvkLTrwFtc=
=XcHe
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list