[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
53/66: programming-2022: Address comments from reviewer C.
From: |
Ludovic Courtès |
Subject: |
53/66: programming-2022: Address comments from reviewer C. |
Date: |
Wed, 29 Jun 2022 11:32:04 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit f9bb7bc36fee4e466ba7859e68fdb23015f8bc5e
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Apr 28 14:40:09 2022 +0200
programming-2022: Address comments from reviewer C.
* doc/programming-2022/supply-chain.skb: Tweak.
---
doc/programming-2022/supply-chain.skb | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/doc/programming-2022/supply-chain.skb
b/doc/programming-2022/supply-chain.skb
index 4409b14..7259359 100644
--- a/doc/programming-2022/supply-chain.skb
+++ b/doc/programming-2022/supply-chain.skb
@@ -570,7 +570,10 @@ happened to GNU’s Savannah in 2010 ,(ref :bib
'fsf2010:compromise).])
(p [An attacker who gained access to the server hosting the Guix
repository can push code, which every user would then pull. The
change might even go unnoticed and remain in the repository forever.
-They may also reset the main branch to an earlier revision, leading
+This cannot be addressed simply by having users check OpenPGP signatures
+on commits: that alone is of no use if users cannot tell whether the
+commit is indeed signed by an authorized party.
+An attacker may also reset the main branch to an earlier revision, leading
users to install outdated software with known vulnerabilities—a ,(emph
[downgrade attack]) ,(ref :bib '(cappos2008:attacks kuppusamy2017:mercury
torresarias2016:omitting)).
@@ -636,8 +639,10 @@ which the developer was officially an authorized
committer.])
be described as ,(emph [in-band commit authorization]). “In-band” means
that the information necessary to determine whether a commit is
legitimate—where it was ,(emph [authorized])—is available in the
-repository itself; this check can thus be made off-line, without
-resorting to a third party. Authorization information follows the
+repository itself. This check can thus be made off-line, without
+resorting to a third party; it can still be made on a copy of the
+repository, including an archived copy, years later.
+Authorization information follows the
commit graph: the list of authorized signers for a commit is obtained
,(emph [in the parent commit(s)]).])
- 45/66: programming-2022: Add diff document., (continued)
- 45/66: programming-2022: Add diff document., Ludovic Courtès, 2022/06/29
- 47/66: programming-2022: Add README.md for artifact evaluation., Ludovic Courtès, 2022/06/29
- 22/66: icse-2022: Cite SolarWinds and Executive Order., Ludovic Courtès, 2022/06/29
- 23/66: icse-2022: Address CCS reviewer comments., Ludovic Courtès, 2022/06/29
- 26/66: icse-2022: Fix typos., Ludovic Courtès, 2022/06/29
- 38/66: programming-2022: Tweak dot options., Ludovic Courtès, 2022/06/29
- 33/66: programming-2022: Augment abstract., Ludovic Courtès, 2022/06/29
- 42/66: cise-2022: Improve a couple of references., Ludovic Courtès, 2022/06/29
- 49/66: programming-2022: Fix typos., Ludovic Courtès, 2022/06/29
- 51/66: doc: Add a few DOIs in .sbib files., Ludovic Courtès, 2022/06/29
- 53/66: programming-2022: Address comments from reviewer C.,
Ludovic Courtès <=
- 58/66: programming-2022: Add DOIs and "Last accessed" notes., Ludovic Courtès, 2022/06/29
- 62/66: programming-2022: More bibliography tweaks., Ludovic Courtès, 2022/06/29
- 63/66: programming-2022: Typographical tweaks., Ludovic Courtès, 2022/06/29
- 30/66: programming-2022: Expand "Background" section., Ludovic Courtès, 2022/06/29
- 43/66: cise-2022: Inline two references., Ludovic Courtès, 2022/06/29
- 48/66: programming-2022: Distinguish model and implementation., Ludovic Courtès, 2022/06/29
- 52/66: programming-2022: Clarify QEMU options, as suggested by reviewers., Ludovic Courtès, 2022/06/29
- 65/66: doc: programming-2022: Add PDF., Ludovic Courtès, 2022/06/29
- 24/66: icse-2022: Mention SLSA and Git{Lab,Hub}., Ludovic Courtès, 2022/06/29
- 27/66: icse-2022: Add reviews and response., Ludovic Courtès, 2022/06/29