Date: Wed, 1 Oct 2014 04:18:23 +0200 From: beeessdee@ruggedinbox.com To: "Glen Barber" <gjb@FreeBSD.org> Cc: freebsd-stable@freebsd.org Subject: svn repo verification (Re: FreeBSD 10.1-BETA3 Now Available) Message-ID: <f3fcd61828fdbe94f7ede7d0de13d2c8.squirrel@s4bysmmsnraf7eut.onion> In-Reply-To: <20140929121648.GL75063@hub.FreeBSD.org> References: <20140928155118.GA75063@hub.FreeBSD.org> <fe17030e3efeefb5dfa800b46ee181d9.squirrel@s4bysmmsnraf7eut.onion> <20140929025102.GH75063@hub.FreeBSD.org> <20140929031120.GI75063@hub.FreeBSD.org> <ebef3a6c539a7be6d6a953b1a0278049.squirrel@s4bysmmsnraf7eut.onion> <20140929121648.GL75063@hub.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[Subject changed and re@ snipped, this is not 10.1-BETA3 specific.] On Mon, September 29, 2014 2:16 pm, "Glen Barber" <gjb@FreeBSD.org> wrote: >> > Anyway, this is not RE-related. >> >> Jah, 'RE-related' would be public verify method for whole svn repo tied >> to >> audit trail of release process. :-( >> > > I don't understand what you mean. We have a verifiable audit trail - it > is all in svn revision history. By this I mean, cryptographic hash chain and signed commits. svn revision history is audit trail, but not *verifiable* audit trail. Is there such things in svn metadata? I did not find. If yes, this should be Handbook documented (and how to use it). Important because: * Data at rest in repository, protected from intrusion or the insider attack. * Data in transit on wire not protected by svn protocol (except for persons with the ssh access) * Every person, everywhere should be able confirm downloaded commit history is exactly equals bit-for-bit what you (gjb@), Core Team, re@ have in their machines! Obscure change (example classic "if(uid==0)" to single "if(uid=0)") in critical piece even 100.000 commits old should be easy detectable by anyone. Commit bit should be attached requirement of signing of the commits. Release Engineering should positively associate each release with checksum of entire chain of commits, back to r0. Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f3fcd61828fdbe94f7ede7d0de13d2c8.squirrel>