Re: on security and patch formats

public inbox for gcc@gcc.gnu.org
 help / color / mirror / Atom feed

From: Tom Lord <lord@emf.net>
To: gcc@gcc.gnu.org
Cc: tim@hollebeek.com
Subject: Re: on security and patch formats
Date: Tue, 10 Dec 2002 15:07:00 -0000	[thread overview]
Message-ID: <200212102245.OAA19059@emf.net> (raw)
In-Reply-To: <20021210141739.A476@hollebeek.com> (message from Tim Hollebeek on Tue, 10 Dec 2002 14:17:39 -0800)

   > If you are really worried about it, we can make some modest changes to
   > an FTP server.  In particular, as I mentioned, `arch' never needs to
   > _modify_ files in the repository, only to add, rename and delete
   > them.  It never needs to delete precious files -- only lock files and
   > cache files.   One can imagine adding a feature to an FTP server that
   > implicitly manipulates the permissions on files and directories to
   > help ensure that precious files, once created, can not be modified or
   > deleted by the server under any circumstances.

   Have you thought this out?

Yes.

   rename implies a soft delete ability : you can't destroy information,
   but you can make file existence checks fail on arbitrary files.

   even worse, rename + add implies modify.

Consider the repository as a static archive of files with well-known
names.  Once a file reaches its "final" location, it never needs to be
renamed or deleted after that.  It can even be transfered to
write-once storage.

The ascension process -- the process of adding a new file: that
requires renames and deletes to implement locking and atomic
operation.   Thus, once ascension is complete, permissions can be
locked down.   Between native filesystem permissions and a filter on
the system calls issued by the FTP server, precious files can be quite
well protected.

Servers also benefit from "cache files" that summarize information
found in precious files.  These do, indeed, complicate the security
concerns -- but not, I think, very much.

If you like, we can get into details of the repository format and
protocols off-list.

-t

     prev parent reply	other threads:[~2002-12-10 22:45 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-10 13:58 Tom Lord
2002-12-10 14:15 ` Tim Hollebeek
2002-12-10 15:07   ` Tom Lord [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200212102245.OAA19059@emf.net \
    --to=lord@emf.net \
    --cc=gcc@gcc.gnu.org \
    --cc=tim@hollebeek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).