Security
Joke de Buhr
joke.de.buhr at seiken.de
Wed Nov 4 08:35:10 GMT 2009
On Wednesday 04 November 2009 03:06:53 Stephen J. Turnbull wrote:
> Daniel Carrera writes:
> > Hello,
> >
> > Does Bazaar have any cryptographic security guarantees in the style
> > of Monotone, Git and Mercurial?
>
> Last I heard, only Monotone makes any pretense to security. Git and
> Mercurial provide a certain amount of automatic integrity checking,
> using a cryptographic quality hash. Whether that can be
> straightforwardly extended to security is another question; it depends
> a lot on workflows AFAIK.
>
Git cryptographic protection is based an sha1 hashes. Each commit is
hashed much like you can hash files from command-line using sha1sum. The
hash is used as a revion id in git.
It's possible to break sha1 hashes but not easy. In fact heavy research is
done to find a better hashes which are more secure.
Bazaar doesn't not use sha1 hahes as revion id because they are long and
you can't said to your co-workers "hey, checkout my revision
0c061471d0933844ad2a4e99bceac67586d29ee3". They are just useful for
mailing. Not direct inter-human communication.
That does not mean bazaar doesn't have sha1 secured commits. Use
bzr testament -r [RevisionID]
to display the sha1 hash. You may verify the revision by comparing the
hashes. Just ask someone to send the hash. So bazaar offers the same
security as git.
In addition to sha1 hashes bazaar has the ability to pgp (gnupg) sign
commits using public/private key cryptography. These signed commits can be
verify against trusted gpg public keys of you co-workers. All you need is
their valid public key and you can check if a revision has been created by
it's author. You don't need to know any kind of hashes any more. You don't
need them for gpg signed email either. Just the public keys.
Although bazaar has build-in abilities to create gpg signed revisions.
There aren't any build-in checks to verify the signatures yet. The only
possibility to verify a signature is to use the "signing" plugin.
http://bzr.arbash-meinel.com/plugins/signing/
The plugin doesn't do signature checking very well. It's not possible to
verify a single revion and the verification is slow especially on large
repositories. Maybe the developers will extend bazaar to handle signature
checking in a better way soon.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20091104/9da5a89d/attachment.pgp
More information about the bazaar
mailing list