Re: deltas, history pruning vs GPG



Colin Walters <walters verbum org> writes:

I have two concerns:
  - We're doing a lot of data processing such as decompression, bsdiff, etc.
    before verifying content integrity.
  - Current OSTree makes it pretty trivial for a MITM to perform a DoS
    attack (just keep returning data), and I'd hoped to fix that with static deltas.

For the second concern, we could add metadata to the commit object that has size bounds
(this was previously attempted), but it's fairly ugly.

I've been thinking that the current "archive-z2" is good for a "QA continuous delivery",
and a "deltas only" repository would be good for production serving/replication.

We want to support the model where content is retrieved over an insecure channel
(e.g. plain HTTP), or in general is redistributed from the origin with opportunity
for MITM (think distribution mirrors, USB keys, etc.).  In that case it's
good for the signature to cover the transmitted data in an easy-to-validate
way before any processing is applied.

Now, what I was suggesting before is to:
 - Drop signatures on static deltas
 - Index deltas in the summary file
 - Introduce the concept of signatures on the summary file

yes, thanks for the explanation, this would be helpful to avoid
processing delta parts before checking their integrity.

In this case, the summary will be signed only with the keys of the
distributor or the previous one in case of a mirror, discarding any
older signature (the chain will be maintained on the commits).  Is it
correct?

Thanks,
Giuseppe


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]