-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Baruch Even wrote:
> * C??dric Augonnet <[EMAIL PROTECTED]> [070919 01:34]:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> Would not this dumb patch (applied to the latest mercurial repository)
>> avoid throwing cached data away when the gpg signature is not valid ?
>
> It will stop removing the files but it doesn't do anything to warn the
> user and ask for special permission. There is a reason for the gpg
> check, to protect against malicious attackers changing the kernel
> sources without the users noticing it.
>
> If the user doesn't have the key to check against he should be warned
> about it and subsequent attempts should fail as well, unless the user
> explicitly overrides the gpg check.
>
> I believe this patch is incomplete in its current form.
>
> Baruch
Hi,
First, thanks for your quick reaction ...
Correct me if i'm wrong, but i had the impression that with my dummy
modifications, the situation would be :
- if the signature checking succeeds or if there is no signature
checking and that we have a cache miss, nothing changes.
- if the signature checking somehow fails, the files are put in the
cache but not used, when the user re-issue some ketchup command which
possibly needs that cached file, there are two cases :
+ if the user did not use --no-gpg then the signature of those
file will first be checked, and there is no problem since we don't use
corrupted data
+ if the user did specify --no-gpg, then indeed it's unclear :
the cache will be reused, and if there was some data tampering ...
then we do have a problem. But this happens only in case that the data
were previously corrupted, then corrected and not updated in our cache.
What would you propose to address this ? Here are some silly
suggestions, perhaps one could be a better approach :
- When you do not specify --no-gpg and that the signature fail, you
could explicitely propose several solutions like
* 0 -> stop (default)
* 1 -> go on despite gpg
* 2 -> stop but keep files in cache
I guess the common case when the "bug" was happening is when you
forget the "-G", so that way you would get some second chance ...
- - You could also, in addition of saying that the key checking failed
(which we still do), ask if we want to keep the data in the cache or
not. That is kind of subset of the previous solution.
- - Consider that there is too much risk in putting the files in cache ?
Just my 2 cents
Regards,
Cédric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8XY8h8mVmA5jLbkRAuNWAKCcMTpuIs92tR57scklM0bHKxLKpQCgjjy4
ur+lPam4QxhBRc85YLaw3A0=
=BDjO
-----END PGP SIGNATURE-----
