Re: [Monotone-devel] Monotone Security

[Daniel Carrera]

Timothy Brownawell wrote:
> > MTN: WARNING! Unrecognized key in the server:
> > MTN:
> > MTN: address@hidden bc552a65085e0e55472b91a2c169af76ce7b1a62
>
> Sure, but that only gets triggered when someone using that hook does a
> checkout / update that wants to use a revision signed by the bad key. It
> would mostly work, but wouldn't be foolproof.

Ok. Well, nothing will ever be foolproof, but if it works most of the 
time that's already pretty good. Especially since, usually, the moment 
*one* developer notices he can post to the mailing list and say "does 
anyone know who this address@hidden is? Is he a new developer?". And 
then everyone notices.

> Sure, but *everyone* has to do that, and all at the same time. If
> someone forgets, the bad revision comes right back.

Oh, I didn't think of that. It would be easier if Monotone also had the 
other feature we said above: Have the server ignore commits from a key 
that it doesn't know about. When you discover the encumbered material, 
you db_kill it and remove the offending key from the database. So the 
next time a developer syncs he doesn't put the bad revision back in.


> So the safe way is
> to have one person make the change and set the branch epoch (a cookie
> that tells netsync to abort if the two sides don't match), and then
> everyone else pulls a fresh db from that person. Then if someone with
> the bad revision tries to sync they'll get an error message saying the
> epoch doesn't match, and maybe they should look into why.

Understood. The problem is fixable, but it is a hassle. And the bigger 
the team, the bigger the hassle.


Thanks for the corrections.

Daniel.