[MERGE] [0.90] Disable patch verification (broken for CRLF files)

John Arbash Meinel john at arbash-meinel.com
Mon Aug 13 18:47:06 BST 2007

Hash: SHA1

James Westby wrote:
> On (13/08/07 11:45), John Arbash Meinel wrote:
>> The chance of exploiting the change is pretty minimal, will only be
>> exposed for about 1 month, and is a lot less disruptive than preventing
>> bundles completely.
> I'm uneasy about opening up a known hole, but yes the alternative is
> worse in this case.
> There is another option however, that a fix is implemented that does not
> open the hole. I assume that is too costly for this stage in the
> release, if so then we should go for the least bad option.
> Thanks,
> James

I'm just going by what Aaron said:
  "The fix appeared simple, but I've run into problems testing it, so I
think the safest things it to disable it for now.  I'll get a fix in
before 0.91."

I'm not sure why you couldn't just have something like:

tree1 = self.make_branch_and_tree('tree1')
self.build_tree_contents([('tree1/a', 'text\nfor\na\n'),
			  ('tree1/b', 'text\r\nfor\r\nb\r\n')])
tree1.add(['a', 'b'])
rev_id = tree.commit('message')

# create a bundle for rev_id versus None
# verify that you can install the given bundle

There are other edge cases, like updating a and b so that they have real

Further, you could do things like take the bundle text, and change all
line endings, etc. So that you know it is safe even if the email/etc
munges things.

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the bazaar mailing list