Bazaar

inventory sha1 is not checked during routine operation

Bug #181143 reported by Robert Collins
2
Affects Status Importance Assigned to Milestone
Bazaar
Confirmed
Medium
Unassigned
Breezy
Triaged
Medium
Unassigned

Bug Description

We check that the sha1 of a stored inventory is what the knit thinks it
should be, but AFAICT we don't check that the revision object expected
that sha1 ;).

So we're safe against bit-errors in the inventory store, but not against
deliberate manipulation.

 affects bzr
--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

Revision history for this message
John A Meinel (jameinel) wrote :

Is it enough to check the revision text against the stored inventory sha? (Rather than re-hashing the full-text at that time?)

Changed in bzr:
importance: Undecided → Medium
status: New → Triaged
Martin Pool (mbp)
Changed in bzr:
status: Triaged → Confirmed
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

is this still an issue with chk repositories?

tags: added: data-integrity
Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 181143] Re: inventory sha1 is not checked during routine operation

On 2 February 2011 03:09, Jelmer Vernooij <email address hidden> wrote:
> is this still an issue with chk repositories?

I think this is now basically safe. Perhaps we should make sure that
any attempt to get an inventory by revision-id always first gets the
relevant revision, then from that gets the inventory base SHA1. I
don't think that is true at the moment. Are other changes needed?

Jelmer Vernooij (jelmer)
tags: added: check-for-breezy
Jelmer Vernooij (jelmer)
tags: removed: check-for-breezy
Changed in brz:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.