bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG-Signed Commits and RCS Keyword exploit [long]


From: Derek Price
Subject: Re: GPG-Signed Commits and RCS Keyword exploit [long]
Date: Thu, 22 Sep 2005 10:58:41 -0400
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Jim Hyslop wrote:

> will this be signed as if I am checking in the un-expanded keyword,
> i.e. as if the file contains:


No.  Whatever content the file contains will be signed as is (after line
endings are converted for test files).  If keywords are spotted, the
user will see a warning or error like:

    cvs commit: warning: Detected keywords in signed file `dir/foo'.

or

    cvs [commit aborted]: Detected keywords in signed file `dir/foo'.

Whether this is a warning or an error will probably depend on a command
line option, though I haven't decided for certain yet.

The implications of this are that keyword replacement would still happen
on checkout and signatures would always fail to validate, unless the
files are checked out -ko, in which case they could still be validated.

Regards,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:address@hidden>






reply via email to

[Prev in Thread] Current Thread [Next in Thread]