Sourceforge Attack: Full Report
Its better to be safe than sorry, so weve decided to perform a comprehensive validation of project data from file releases, to SCM commits. We will compare data [against] pre-attack backups, and will identify changed and added. We will review that data, and will will also refer anything suspicious to individual project teams for further assessment as needed. [...] The validation work is a precaution, because while we dont have evidence of any data tampering, wed much prefer to burn a bunch of CPU cycles verifying everything than to discover later that some extra special trickery lead to some undetected badness."
Posted Jan 31, 2011 17:33 UTC (Mon)
by b7j0c (guest, #27559)
[Link]
Posted Jan 31, 2011 23:26 UTC (Mon)
by rbrito (guest, #66188)
[Link] (1 responses)
Some of the responses on that blog post seem to indicate a strong resistance to move from CVS (probably the Windows people use tools to interact with their CVS repositories?).
The consistency point is yet another one where git helps the users a lot, for you'd just have to compare a few sha1 hashes and you'd be done to check if there was any corruption in that repository.
The users themselves would also quickly notice if something strange happened in this regard, when trying to use their repositories (fork, pull, push, merge etc.).
I don't know if sourceforge allows something like github's forking a repository and keeping a personal copy, or if they only allow repositories attached to projects...
BTW, for those that are familiar, are other DVCSes the same way as git, with hashes and so on?
Posted Feb 1, 2011 12:02 UTC (Tue)
by dpotapov (guest, #46495)
[Link]
Mercurial uses SHA1 hashes in the same way as git, and both of them borrowed this idea from Monotone. Bazaar also uses SHA1 for integrity checking, but it relies UUIDs to identify revisions. If you signed your revisions in Bazaar (with gpg), they cannot be forged, but I don't know Bazaar well enough to tell what happens with non-signed revisions.
Sourceforge Attack: Full Report
Sourceforge Attack: Full Report
Sourceforge Attack: Full Report