Date: Fri, 06 Feb 2009 19:14:14 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: cpghost <cpghost@cordula.ws> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: OT: SVN checkout checksumming Message-ID: <871vubv66x.fsf@kobe.laptop> In-Reply-To: <20090206165800.GB1444@phenom.cordula.ws> (cpghost@cordula.ws's message of "Fri, 6 Feb 2009 17:58:00 %2B0100") References: <4989B239.9090504@optiksecurite.com> <878wolpydl.fsf@kobe.laptop> <20090206165800.GB1444@phenom.cordula.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Feb 2009 17:58:00 +0100, cpghost <cpghost@cordula.ws> wrote: >> Let's assume for a moment that you install a post-commit hook that >> generates a SHA-256 checksum of all the files in the latest repo >> revision on the svn server. >> >> For the sake of simplicity, let's assume that this file is a simple, >> plain text file that is named db/revs/NUMBER.sha256 where 'NUMBER' is >> the revision number you are check-summing. >> >> How are you going to *safely* transmit those SHA-256 checksums to the >> client on 'svn checkout'? > > Well, sorry to bring this back up, but again: how about signing > NUMBER.sha256 with a GnuPG private key belonging to the FreeBSD > Project? If there's a way to *safely* get the corresponding > public key, checking the signature of the NUMBER.sha256 files > would be trivial. If the signed data is not part of the actual repository, you have a signature for a numeric value, not a signature for the *contents* of the repository itself. I think I am missing something here...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?871vubv66x.fsf>