From owner-freebsd-hackers@freebsd.org  Fri Sep 20 21:04:10 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B490A127726;
 Fri, 20 Sep 2019 21:04:10 +0000 (UTC)
 (envelope-from grarpamp@gmail.com)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com
 [IPv6:2607:f8b0:4864:20::d43])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46ZmRZ0NNgz4dZW;
 Fri, 20 Sep 2019 21:04:09 +0000 (UTC)
 (envelope-from grarpamp@gmail.com)
Received: by mail-io1-xd43.google.com with SMTP id q1so19369670ion.1;
 Fri, 20 Sep 2019 14:04:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=LPSI5BzqVlp1Oy96Cdq88l+LJG9kqdV2TFC/6hJtJuE=;
 b=h8yffhjPaxUN8oBhTeekG7iy/zFiZRF/abiwjA3xDAPexx41JEci9mR7bNWDpOGCk4
 6dkD/b48xOVFWyi9dTi39Y4mv2pYOPQVHPep6RuQfjhXVCEI2nSyDyZbzTEWYMmGU7fT
 hYJs039vUz/ZQdtrApNzOIQa05ZvoiSL/7pSIB1gv43eRTJ9kAII5zDfuqmIZgKbatXI
 gKuzoAZ1oU3tcrDJ6Sg7uXO+Au66m6LCFHbAwvx2fjSUp4Pciw+mkwhI7XUalR1c2io/
 gHcw86ew9Ko6eic3iDqZZSEWUl5BS4Vq+e0Lx8eXmT4SYpKt8Yoc0A/iuVFvbjQLByLA
 hv2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=LPSI5BzqVlp1Oy96Cdq88l+LJG9kqdV2TFC/6hJtJuE=;
 b=IRzW5jp0DWpyy4qsfZUBbFN1gkron/WtmRMMp73avjrmYsG6qAHQZuaAOuHanXAufj
 cFasgAyVkIopO7xw3M1ulTIi63tMnRg8YrBnX2HoY6wJqKyDLKMh1QwIQYq7Zays/dGo
 zXn0ay7xTrOKhVmtO2I2tv/BjpmE244HF3oV4U1BTdAZjSBjUWkDRl67lPsNm7q9qv9+
 jAHhKX0l0F0XmrS86k2aO41OpHChmBeUtz1LO8aWGGW33q+C9DjYB5BrGBXefZrQneIQ
 7Tvh0cc51gpRgoslIRGjS49UxSSfUrJOVOiol4VKtxRPefMTQwm9T9fpfsG4UoPq3fL/
 +akw==
X-Gm-Message-State: APjAAAWinv+7ktdfljiolBelThpA1jNJ9O/LzsDH2xx+z5RWWeMywqLy
 RlLzhcFqgtCXjx3PHXtxzMgiMKYZtbCA7SNDuGZbeK1T
X-Google-Smtp-Source: APXvYqxHlH1D43iOQLGuw1MfAI6zzsagskedwCuAEp0yf6t1t0Pz7VBkQ16wLIxd1q/i6qtIcVE1hGgkwy4S/MZ9s34=
X-Received: by 2002:a6b:f80f:: with SMTP id o15mr13032915ioh.174.1569013448487; 
 Fri, 20 Sep 2019 14:04:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:9f01:0:0:0:0:0 with HTTP; Fri, 20 Sep 2019 14:04:08
 -0700 (PDT)
In-Reply-To: <CAD2Ti2_p0Yq4VBGMnzxfJABaV94D4a0vsVMuAGgQn6Cm06p+_w@mail.gmail.com>
References: <CAD2Ti2_p0Yq4VBGMnzxfJABaV94D4a0vsVMuAGgQn6Cm06p+_w@mail.gmail.com>
From: grarpamp <grarpamp@gmail.com>
Date: Fri, 20 Sep 2019 17:04:08 -0400
Message-ID: <CAD2Ti2_5HndZ1_tnSEBiuTJpvb0fU8X8vobqXD_eVpHiagfTvg@mail.gmail.com>
Subject: Re: Git/Mtn for FreeBSD, PGP WoT Sigs, Merkel Hash Tree Based
To: freebsd-security@freebsd.org
Cc: freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 46ZmRZ0NNgz4dZW
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=h8yffhjP;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates
 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=grarpamp@gmail.com
X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
 FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 IP_SCORE(0.00)[ip: (2.08), ipnet: 2607:f8b0::/32(-2.65), asn: 15169(-2.20),
 country: US(-0.05)]; DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[3.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 21:04:10 -0000

[broken links fixed]

For consideration...

SVN really may not offer much in the way of native
internal self authenticating repo to cryptographic levels
of security against bitrot, transit corruption and repo ops,
external physical editing, have much signing options, etc.
Similar to blockchain and ZFS hash merkle-ization,
signing the repo init and later points tags commits,
along with full verification toolset, is useful function.

https://www.monotone.ca/
https://en.wikipedia.org/wiki/Monotone_(software)
https://git-scm.com/
https://en.wikipedia.org/wiki/Git

Maintaining the kernel's web of trust
https://lwn.net/Articles/798230/

Distributing kernel developer PGP keys via pgpkeys.git
https://lkml.org/lkml/2019/8/30/597

Signing patch flow
https://lwn.net/Articles/737093/

Compromised security happens
https://lwn.net/Articles/464233/

https://security.stackexchange.com/questions/67920/how-safe-are-signed-git-=
tags-only-as-safe-as-sha-1-or-somehow-safer
https://stackoverflow.com/questions/28792784/why-does-git-use-a-cryptograph=
ic-hash-function
http://fossil-scm.org/index.html/doc/trunk/www/hashpolicy.wiki
https://ericsink.com/vcbe/html/cryptographic_hashes.html
https://svn.haxx.se/dev/archive-2015-06/0052.shtml
http://git.661346.n2.nabble.com/Verifying-the-whole-repository-td1368311.ht=
ml
https://shattered.io/
https://www.youtube.com/watch?v=3DG8wQ88d85s4
https://en.wikipedia.org/wiki/Data_degradation
https://git-scm.com/docs/git-fsck
https://marc.info/?l=3Dgit&m=3D118143549107708
https://en.wikipedia.org/wiki/Comparison_of_version-control_software
https://en.wikipedia.org/wiki/Deterministic_compilation
https://www.monotone.ca/monotone.html#Trust-Evaluation-Hooks

How does one know their entire copy of repo obtained on
DVD, "mirror", or elsewhere cryptographically
matches the authoritative repo... that any commits
were actually signed off on... or that any reproducible
builds are even reproducing the main repo... etc...
cannot be done without secure crypto infrastructure at
the very core.

"User also knows that even if someone should break into the shared
hosting server and tamper with the database, they won=E2=80=99t be able to
inject malicious code into the project, because all revisions are signed
by the team members, and he has set his Trust Evaluation Hooks so
he doesn=E2=80=99t trust the server key for signing revisions.
In monotone, the important trust consideration is on the signed content,
rather than on the replication path by which that content arrived in your
database."


Note also CVS, which some BSD's still use (ahem: Open, Net),
is even worse than SVN with zero protection
at all in any component regarding this subject.

It really time to migrate repo tech to year 2020.