Technology support

Posted Dec 21, 2007 20:27 UTC (Fri) by geertj (subscriber, #4116) [Link]

But that wouldn't be effective against what happened with Squirrelmail, since the code was changed after it came out of the source repository.

It would be effective if the users would pull the code directly from a Monotone netsync server using "mtn sync". There is indeed no protection against modifying a tarfile after it is released from a monotone repository.

And it may not be effective against hackers who put code into source repositories either, because if you can get commit privilege on a Subversion server, you can probably also add a public key to a Monotone server or sign code as some authorized developer.

Being a distributed version control system, a typical way to deploy monotone is for all developers to have their own repository on their private workstations, and in addition to this one central netsync server connected to the Internet to which everybody synchronises. The development workstations can be behind a firewall and do not need to accept any incoming connection. The developers would normally store their private keys only on their workstations, hopefully protected by a passphrase. In this setup, a compromise of the netsync server (which is more likely than a compromise of a developer workstation because it is a public server) would not impact the security of the monotone sources hosted on it. The attacker can add anything to the repository he wants, but he has no access to a key that is trusted by the other developers with which he can certify the new revision.