launchpad-dev team mailing list archive

Thread
Date

Re: Signing the code of conduct

To: Aaron Bentley <aaron@xxxxxxxxxxxxx>
From: Andrew Bennetts <andrew.bennetts@xxxxxxxxxxxxx>
Date: Fri, 19 Mar 2010 15:29:30 +1100
Cc: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <4BA2F6D7.8020601@canonical.com>
User-agent: Mutt/1.5.20 (2009-06-14)

Aaron Bentley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bennetts wrote:
> > So by making cosmetic changes to the input you make it (even more) unlikely that
> > someone can take your signature of the CoC and make a fake signature of another
> > document you never signed.
> 
> Doesn't the fact that whitespace is ignored make it easier to forge a
> CoC signature via a "birthday attack"?  You sign another document, and
> then the attacker forges a CoC signature by inserting whitespace in the
> CoC until the checksums match...

I don't think Launchpad allow third parties to upload signed CoCs on
your behalf, but that doesn't really matter...

That argument applies to any GPG signed document, not just a
whitespace-tweaked CoC.  In principle I could take the GPG signature you
put on the email I am replying to, write “I, Aaron Bentley, am Wrong on
the Internet(TM)” and just keep adding whitespace until the checksums
match...

That said, I share Martin's point of view that this is all pretty
academic and unnecessary for Launchpad to bother users with.

-Andrew.

References

Signing the code of conduct
From: Jonathan Lange, 2010-03-18
Re: Signing the code of conduct
From: Andrew Bennetts, 2010-03-18
Re: Signing the code of conduct
From: Aaron Bentley, 2010-03-19