What shall we do to verify the CVS diffs for emacs?

What shall we do to verify the CVS diffs for emacs?

[Kim F. Storm]

Emacs diffs are now ready for verification.

See http://savannah.gnu.org/statement.html

How shall we organize the verification of those diffs?

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk

Re: What shall we do to verify the CVS diffs for emacs?

[Richard Stallman]

It would be very useful for someone to take overall charge of the
verification activity--to make sure that at least the important files
do get checked.  I can't do it myself, though; I don't have time.
(Since my elbow broke, I have barely been able to work on Emacs at
all.)

Can someone volunteer to do this?

Re: What shall we do to verify the CVS diffs for emacs?

[Dan Hoey]

On 16 Dec 2003 02:29:46 +0100, Kim F. Storm wrote:

> Emacs diffs are now ready for verification.
> See http://savannah.gnu.org/statement.html
> How shall we organize the verification of those diffs?

On 16 Dec 2003 22:27:47 -0500, Richard Stallman wrote:

> It would be very useful for someone to take overall charge of the
> verification activity--to make sure that at least the important files
> do get checked.  I can't do it myself, though; I don't have time.
> (Since my elbow broke, I have barely been able to work on Emacs at
> all.)

> Can someone volunteer to do this?

Was anything done about this?  Is it going to be left to luck that
anything bogus will eventually be noticed?  I'm not complaining (or
volunteering), but I'd like to know if there is any peace-of-mind
increment on the horizon.

Dan
Hoey@AIC.NRL.Navy.Mil

Re: What shall we do to verify the CVS diffs for emacs?

[Eli Zaretskii]

> Date: Tue, 13 Jan 2004 16:34:25 -0500 (EST)
> From: Dan Hoey <Hoey@aic.nrl.navy.mil>
> 
> On 16 Dec 2003 22:27:47 -0500, Richard Stallman wrote:
> 
> > It would be very useful for someone to take overall charge of the
> > verification activity--to make sure that at least the important files
> > do get checked.  I can't do it myself, though; I don't have time.
> > (Since my elbow broke, I have barely been able to work on Emacs at
> > all.)
> 
> > Can someone volunteer to do this?
> 
> Was anything done about this?

Not that I know of.

> Is it going to be left to luck that anything bogus will eventually
> be noticed?

Probably.  It's free software maintained by a bunch of volunteers on
their free time, so unless you are willing to volunteer, there's no
sense in nagging.

Re: What shall we do to verify the CVS diffs for emacs?

[Dan Hoey]

Eli Zaretskii <eliz@elta.co.il> wrote:

> > Was anything done about this?

> Not that I know of.

> > Is it going to be left to luck that anything bogus will eventually
> > be noticed?

> Probably.  It's free software maintained by a bunch of volunteers on
> their free time, so unless you are willing to volunteer, there's no
> sense in nagging.

I tried to make it clear that I am not nagging.  That's why I wrote

> > I'm not complaining (or volunteering), but I'd like to know if
> > there is any peace-of-mind increment on the horizon.

I'm just trying to find out what the situation is--e.g., whether there
is some off-list work being done.  Thank you for your assessment of
the situation.  If anyone has further information, I'd be most
grateful to hear about it.

Dan

Re: What shall we do to verify the CVS diffs for emacs?

[Thien-Thi Nguyen]

Dan Hoey <Hoey@aic.nrl.navy.mil> writes:

   > > I'm not complaining (or volunteering), but I'd like to know if
   > > there is any peace-of-mind increment on the horizon.

   I'm just trying to find out what the situation is--e.g., whether
   there is some off-list work being done.  Thank you for your
   assessment of the situation.  If anyone has further information,
   I'd be most grateful to hear about it.

why are you doing this?  what emacs-enhancing activity will come
of this inquiry?

thi

Re: What shall we do to verify the CVS diffs for emacs?

[David Kastrup]

Thien-Thi Nguyen <ttn@glug.org> writes:

> Dan Hoey <Hoey@aic.nrl.navy.mil> writes:
> 
>    > > I'm not complaining (or volunteering), but I'd like to know if
>    > > there is any peace-of-mind increment on the horizon.
> 
>    I'm just trying to find out what the situation is--e.g., whether
>    there is some off-list work being done.  Thank you for your
>    assessment of the situation.  If anyone has further information,
>    I'd be most grateful to hear about it.
> 
> why are you doing this?  what emacs-enhancing activity will come
> of this inquiry?

Oh, come on.  Stop everybody crying "sacrilege".  Emacs is a large
executable and an operating environment for many.  The question is
quite relevant, even though we might not like its current answer.

There is nothing wrong in trying to assess the current situation by
asking on the developers' list.  Where else would you go for that?

-- 
David Kastrup, Kriemhildstr. 15, 44793 Bochum

Re: What shall we do to verify the CVS diffs for emacs?

[Thien-Thi Nguyen]

   From: David Kastrup <dak@gnu.org>
   Date: 15 Jan 2004 19:47:17 +0100

   Oh, come on.  Stop everybody crying "sacrilege".

???

   The question is quite relevant, even though we might not like its
   current answer.

it's relevancy is not under debate.  i'm just curious what concrete
action will come of it (particularly as initiated and enacted by the
OP), besides all this talk, entertaining as it may or may not be.  if
you feel defensive then please just try to relax -- i'm not asking you,
specifically, or even "you" generally.

   There is nothing wrong in trying to assess the current situation by
   asking on the developers' list.  Where else would you go for that?

is there something wrong w/ asking questions about asking questions?
how is one form of assessing the situation contra-indicated whereas the
other is not?

thi

Re: What shall we do to verify the CVS diffs for emacs?

[Richard Stallman]

Nobody has offered as yet to take charge of verification.
Alas, I cannot possibly do it myself.

Re: What shall we do to verify the CVS diffs for emacs?

[Kim F. Storm]

Richard Stallman <rms@gnu.org> writes:

> Nobody has offered as yet to take charge of verification.
> Alas, I cannot possibly do it myself.

Ok, I'll volounteer to keep track of what's verified so far.


If you want to participate in the verification, pls download
the changeset tarball as previously announced.

Then send me a list of the files you want to verify (C code or Lisp),
or just request a list of files to check (and I'll chose some files
for you).

I will then respond directly to you with a unique key which you must
later return to me when you have complete validation of those files.

Do NOT copy your request to emacs_devel!!

I will post regular updates on the progress of the verification.

Note:  There is a total of approx 2250 files/revisions to check,
       so I will not post the entire list here.  I can send it
       to you on demand.

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk

Re: What shall we do to verify the CVS diffs for emacs?

[Richard Stallman]

    Ok, I'll volounteer to keep track of what's verified so far.

Thank you.

    Then send me a list of the files you want to verify (C code or Lisp),
    or just request a list of files to check (and I'll chose some files
    for you).

My idea was that we would ask the various contributors to check the
changes they installed.  It doesn't have to be done that way; we
can try it this way too.

Re: What shall we do to verify the CVS diffs for emacs?

[Miles Bader]

On Fri, Jan 16, 2004 at 02:54:20PM -0500, Richard Stallman wrote:
>     Then send me a list of the files you want to verify (C code or Lisp),
>     or just request a list of files to check (and I'll chose some files
>     for you).
> 
> My idea was that we would ask the various contributors to check the
> changes they installed.  It doesn't have to be done that way; we
> can try it this way too.

I don't know whether it's useful, but I've been tracking the emacs CVS
sources with my arch branch since before the break-in.

Naturally, any bogus checkins to CVS would have been mirrored in the arch
branch as well, but perhaps it might serve as check against retro-active
modification of the CVS files on savannah.

The intruder could have _also_ modified the arch archive to match[*] -- they
are now gpg-signed, but unfortunately were not at the time of the incident --
but that seems a fair bit less likely.  In addition, the archive has been
mirrored on a non-GNU host since 1-sept (and arch mirrors are essentially
append-only); however there's still a (small) avenue for compromise, even
with the mirror, as I have an ssh key for it stored on fencepost.

[*] stored on fencepost, in my home dir

-Miles
-- 
Love is a snowmobile racing across the tundra.  Suddenly it flips over,
pinning you underneath.  At night the ice weasels come.  --Nietzsche

Re: What shall we do to verify the CVS diffs for emacs?

[Miles Bader]

On Sat, Jan 17, 2004 at 02:55:48AM +0100, Kim F. Storm wrote:
> I don't recall, so is the arch archive just a mirror of CVS, or
> is it two ways (i.e. will changes to arch propagates back to CVS) ?

It's two-way.

> If the latter is the case, who has access to your arch archive,
> and how do you control that access?

It's my archive, so of course I control what goes into it (the same way you'd
control any files on unix).  Inter-archive merging in arch is usually `pull'
based, so if I wanted to merge changes from someone elses branch, I'd have to
explicitly do so -- in a way it's similar to applying patches someone sends
to the mailing list, just more convenient and with better record-keeping.

The remote mirrors on non-GNU machines, OTOH, _are_ just mirrors; of course
now that everything's signed I'd have no qualms about using them to restore
the master fencepost copy if something horrible happened.

-Miles
-- 
If you can't beat them, arrange to have them beaten.  [George Carlin]

Re: What shall we do to verify the CVS diffs for emacs?

[Kim F. Storm]

Miles Bader <miles@gnu.org> writes:

> On Fri, Jan 16, 2004 at 02:54:20PM -0500, Richard Stallman wrote:
> >     Then send me a list of the files you want to verify (C code or Lisp),
> >     or just request a list of files to check (and I'll chose some files
> >     for you).
> > 
> > My idea was that we would ask the various contributors to check the
> > changes they installed.  It doesn't have to be done that way; we
> > can try it this way too.
> 
> I don't know whether it's useful, but I've been tracking the emacs CVS
> sources with my arch branch since before the break-in.
> 
> Naturally, any bogus checkins to CVS would have been mirrored in the arch
> branch as well, but perhaps it might serve as check against retro-active
> modification of the CVS files on savannah.

Any checks you can make to improve confidence would be good, but if
bogus checkins are mirrored too, I don't really see how it can help us.

But a raw compare of the tip of CVS and arch would be inteseting.

> 
> The intruder could have _also_ modified the arch archive to match[*] -- they
> are now gpg-signed, but unfortunately were not at the time of the incident --
> but that seems a fair bit less likely.  In addition, the archive has been
> mirrored on a non-GNU host since 1-sept (and arch mirrors are essentially
> append-only); however there's still a (small) avenue for compromise, even
> with the mirror, as I have an ssh key for it stored on fencepost.
> 
> [*] stored on fencepost, in my home dir

I don't recall, so is the arch archive just a mirror of CVS, or
is it two ways (i.e. will changes to arch propagates back to CVS) ?

If the latter is the case, who has access to your arch archive,
and how do you control that access?

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk

Re: What shall we do to verify the CVS diffs for emacs?

[Richard Stallman]

    Naturally, any bogus checkins to CVS would have been mirrored in the arch
    branch as well, but perhaps it might serve as check against retro-active
    modification of the CVS files on savannah.

This could be very useful.  If you can verify that the check-ins
recorded in CVS with dates before the crack occurred are the same as
you put in your arch archive, that would be enough to show they are
ok.  That might do more than half the job right there.

I think it is unlikely the cracker found your mirror.

      In addition, the archive has been
    mirrored on a non-GNU host since 1-sept (and arch mirrors are essentially
    append-only); however there's still a (small) avenue for compromise, even
    with the mirror, as I have an ssh key for it stored on fencepost.

Do you have backups for the mirror?  If so, you could check
the mirror against its backups to verify that things were not
altered subsequently.