Subject: Re: attempt to plant a back door in the Linux kernel
To: None <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 11/11/2003 13:08:57
On Tue, Nov 11, 2003 at 01:25:31AM -0600, Andy Isaacson wrote:
> Furthermore:  when a clone is made of a BitKeeper repository, the
> resulting repository is a fully functional duplicate of its parent.
> Every peer who has downloaded a copy of the Linux BK tree has a complete
> revision history, so there's no master copy to compromise -- if Linus'
> tree were modified by an intruder, he would be able to compare it
> against any other copy of the tree to find the changes.  (And in fact,
> Linus has several trees; the ones on his main work machine and the ones
> on, to start.)   It's not completely secure, but BK
> does make the attacker's job enormously more difficult than a
> centralized, there-is-one-repository CVS system.

The above paragraph is almost completely specious; all of the assertions
made about copies of BitKeeper repositories are equally true of copies of
CVS repositories, and the implicaiton that, for example, our CVS repository
is "centralized, there-is-one-repository" and thus somehow more vulnerable
than the Linux BitKeeper repository is quite simply and entirely false.