Re: [Bitcoin-development] bitcoin pull requests

author: Petr Praus <petr@praus.net> 2013-04-01 13:28:28 -0500
committer: bitcoindev <bitcoindev@gnusha.org> 2013-04-01 19:36:30 +0000
commit: 071a6b20c29a04373f1db833c9e84f813b739f51 (patch)
tree: 55e998b1a6c53a549c3223685f7ef377fa373778
parent: 41ea10dc3d0c0df89029efb26a96d325008b4dae (diff)
download: pi-bitcoindev-071a6b20c29a04373f1db833c9e84f813b739f51.tar.gz
pi-bitcoindev-071a6b20c29a04373f1db833c9e84f813b739f51.zip
1 files changed, 165 insertions, 0 deletions
diff --git a/be/90f2051086a46c0b9c0f177dbb625584808787 b/be/90f2051086a46c0b9c0f177dbb625584808787
new file mode 100644
index 000000000..714ccfb52
--- /dev/null
+++ b/be/90f2051086a46c0b9c0f177dbb625584808787
@@ -0,0 +1,165 @@
+Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
+	helo=mx.sourceforge.net)
+	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
+	(envelope-from <petr@praus.net>) id 1UMkWs-0005sM-3V
+	for bitcoin-development@lists.sourceforge.net;
+	Mon, 01 Apr 2013 19:36:30 +0000
+Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of praus.net
+	designates 209.85.215.42 as permitted sender)
+	client-ip=209.85.215.42; envelope-from=petr@praus.net;
+	helo=mail-la0-f42.google.com; 
+Received: from mail-la0-f42.google.com ([209.85.215.42])
+	by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
+	(Exim 4.76) id 1UMkWp-00038t-Jt
+	for bitcoin-development@lists.sourceforge.net;
+	Mon, 01 Apr 2013 19:36:30 +0000
+Received: by mail-la0-f42.google.com with SMTP id fe20so2431151lab.29
+	for <bitcoin-development@lists.sourceforge.net>;
+	Mon, 01 Apr 2013 12:36:20 -0700 (PDT)
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+	d=google.com; s=20120113;
+	h=x-received:mime-version:x-originating-ip:in-reply-to:references
+	:from:date:message-id:subject:to:cc:content-type:x-gm-message-state;
+	bh=sR0SBDTZptBiS7LVp2F842T0+wbHvs2+uryHQF4eYbg=;
+	b=g1JqmCZYkemcKVfDwWY+5dnOGsL6gPjQwwDhF2ISJgFYXUeayErNVRvDOrsM0U5VIn
+	fNfsRPtK0QD5ITllSZfnPkx0jJ0dVndOcFXHcn9KSJQE2DfvyhVjHoyDjYDuAF8u484E
+	EegczJCQ4Cx71P0rVjtC6xkpGetcGboNc2rvQxoJUZR7ipK1cwnTtSSFMB824QACvx8v
+	w+xS3QtMX9rjpdRn9lWtTICpbbZCypeLJ0tpWSLVPQ5tHXsnZxGp/oaYlBdcp7xpCdU/
+	WFPr7lW8T7V6lgB+EltbNPbAUchXIrhSc96Ar3hdaR+5x/0UvbLf5pQzpHL6UhpRzEtK
+	dGkA==
+X-Received: by 10.112.137.135 with SMTP id qi7mr6173958lbb.117.1364840928259; 
+	Mon, 01 Apr 2013 11:28:48 -0700 (PDT)
+MIME-Version: 1.0
+Received: by 10.112.35.107 with HTTP; Mon, 1 Apr 2013 11:28:28 -0700 (PDT)
+X-Originating-IP: [129.62.151.28]
+In-Reply-To: <CAKaEYhK5ZzP8scbhyzkEU+WdWjwMBDzkgF+SrC-Mdjgo9G9RnA@mail.gmail.com>
+References: <CAKaEYhK5ZzP8scbhyzkEU+WdWjwMBDzkgF+SrC-Mdjgo9G9RnA@mail.gmail.com>
+From: Petr Praus <petr@praus.net>
+Date: Mon, 1 Apr 2013 13:28:28 -0500
+Message-ID: <CACezXZ94oDX1O7y7cgh+HvDj4QiDWmy1NVQ4Ahq=gmzhgmUaHQ@mail.gmail.com>
+To: Melvin Carvalho <melvincarvalho@gmail.com>
+Content-Type: multipart/alternative; boundary=089e012292fab445c404d950ca84
+X-Gm-Message-State: ALoCoQkfesYoec5eDmoJszr+gKLm1CcSeoesvz7Dx35uLe0cuApOAGpWeVKoGsNsXf8ItdzZTaKw
+X-Spam-Score: -0.6 (/)
+X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
+	See http://spamassassin.org/tag/ for more details.
+	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
+	sender-domain
+	-0.0 SPF_PASS               SPF: sender matches SPF record
+	1.0 HTML_MESSAGE           BODY: HTML included in message
+	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
+	author's domain
+	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
+	not necessarily valid
+	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
+X-Headers-End: 1UMkWp-00038t-Jt
+Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
+Subject: Re: [Bitcoin-development] bitcoin pull requests
+X-BeenThere: bitcoin-development@lists.sourceforge.net
+X-Mailman-Version: 2.1.9
+Precedence: list
+List-Id: <bitcoin-development.lists.sourceforge.net>
+List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
+List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
+List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
+List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
+List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
+	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
+X-List-Received-Date: Mon, 01 Apr 2013 19:36:30 -0000
+
+--089e012292fab445c404d950ca84
+Content-Type: text/plain; charset=UTF-8
+
+An attacker would have to find a collision between two specific pieces of
+code - his malicious code and a useful innoculous code that would be
+accepted as pull request. This is the second, much harder case in the
+birthday problem. When people talk about SHA-1 being broken they actually
+mean the first case in the birthday problem - find any two arbitrary values
+that hash to the same value. So, no I don't think it's a feasible attack
+vector any time soon.
+
+Besides, with that kind of hashing power, it might be more feasible to
+cause problems in the chain by e.g. constantly splitting it.
+
+
+On 1 April 2013 03:26, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
+
+> I was just looking at:
+>
+> https://bitcointalk.org/index.php?topic=4571.0
+>
+> I'm just curious if there is a possible attack vector here based on the
+> fact that git uses the relatively week SHA1
+>
+> Could a seemingly innocuous pull request generate another file with a
+> backdoor/nonce combination that slips under the radar?
+>
+> Apologies if this has come up before ...
+>
+>
+> ------------------------------------------------------------------------------
+> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
+> Rise to greatness in Intel's independent game demo contest.
+> Compete for recognition, cash, and the chance to get your game
+> on Steam. $5K grand prize plus 10 genre and skill prizes.
+> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
+> _______________________________________________
+> Bitcoin-development mailing list
+> Bitcoin-development@lists.sourceforge.net
+> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
+>
+>
+
+--089e012292fab445c404d950ca84
+Content-Type: text/html; charset=UTF-8
+Content-Transfer-Encoding: quoted-printable
+
+<div dir=3D"ltr">An attacker would have to find a collision between two spe=
+cific pieces of code - his malicious code and a useful innoculous code that=
+ would be accepted as pull request. This is the second, much harder case in=
+ the birthday problem. When people talk about SHA-1 being broken they actua=
+lly mean the first case in the birthday problem - find any two arbitrary va=
+lues that hash to the same value. So, no I don&#39;t think it&#39;s a feasi=
+ble attack vector any time soon.<div style>
+
+<br></div><div style>Besides, with that kind of hashing power, it might be =
+more feasible to cause problems in the chain by e.g. constantly splitting i=
+t.</div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote"=
+>
+
+On 1 April 2013 03:26, Melvin Carvalho <span dir=3D"ltr">&lt;<a href=3D"mai=
+lto:melvincarvalho@gmail.com" target=3D"_blank">melvincarvalho@gmail.com</a=
+>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 =
+0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
+
+<div dir=3D"ltr"><div><div><div>I was just looking at:<br><br><a href=3D"ht=
+tps://bitcointalk.org/index.php?topic=3D4571.0" target=3D"_blank">https://b=
+itcointalk.org/index.php?topic=3D4571.0</a><br><br></div>I&#39;m just curio=
+us if there is a possible attack vector here based on the fact that git use=
+s the relatively week SHA1<br>
+
+
+<br></div>Could a seemingly innocuous pull request generate another file wi=
+th a backdoor/nonce combination that slips under the radar?<br><br></div>Ap=
+ologies if this has come up before ...<br></div>
+<br>-----------------------------------------------------------------------=
+-------<br>
+Own the Future-Intel&amp;reg; Level Up Game Demo Contest 2013<br>
+Rise to greatness in Intel&#39;s independent game demo contest.<br>
+Compete for recognition, cash, and the chance to get your game<br>
+on Steam. $5K grand prize plus 10 genre and skill prizes.<br>
+Submit your demo by 6/6/13. <a href=3D"http://p.sf.net/sfu/intel_levelupd2d=
+" target=3D"_blank">http://p.sf.net/sfu/intel_levelupd2d</a><br>___________=
+____________________________________<br>
+Bitcoin-development mailing list<br>
+<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
+pment@lists.sourceforge.net</a><br>
+<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
+" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
+velopment</a><br>
+<br></blockquote></div><br></div>
+
+--089e012292fab445c404d950ca84--
+
+
author	Petr Praus <petr@praus.net>	2013-04-01 13:28:28 -0500
committer	bitcoindev <bitcoindev@gnusha.org>	2013-04-01 19:36:30 +0000
commit	071a6b20c29a04373f1db833c9e84f813b739f51 (patch)
tree	55e998b1a6c53a549c3223685f7ef377fa373778
parent	41ea10dc3d0c0df89029efb26a96d325008b4dae (diff)
download	pi-bitcoindev-071a6b20c29a04373f1db833c9e84f813b739f51.tar.gz pi-bitcoindev-071a6b20c29a04373f1db833c9e84f813b739f51.zip