Changes between Initial Version and Version 1 of Ticket #30479, comment 4


Ignore:
Timestamp:
May 11, 2019, 3:48:36 PM (4 months ago)
Author:
gk
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #30479, comment 4

    initial v1  
    881) Create a new tag for, say Torbutton, like 2.1.8 and push that to our git repo
    992) An attacker replaces the contents of `.git/refs/tags/2.1.8` with those of `.git/refs/tags/2.1.7`
    10 3) We fetch the new tags to our build machines and start building
     103) We fetch the new tag to our build machines and start building
    11114) The verification of "2.1.8" succeeds and git is happily using the old and possibly outdated 2.1.7 as 2.1.8, although we wanted to have a different commit for 2.1.8 (i.e. the originally tagged one).
    12125) We ship 2.1.7 although our `torbutton` config shows `2.1.8`