[Pkg-privacy-commits] [parcimonie] 01/02: Cherry-pick two upstream patches (Closes: #738134, #738004).

Ximin Luo infinity0 at moszumanska.debian.org
Sat Aug 22 13:28:53 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch wheezy-security
in repository parcimonie.

commit e112ee65873acd4845c147538a2ef191221f3379
Author: intrigeri <intrigeri at boum.org>
Date:   Sat Feb 8 16:18:24 2014 +0000

    Cherry-pick two upstream patches (Closes: #738134, #738004).
---
 ...se-time-with-large-number-of-keys-Closes-.patch | 28 +++++++++
 ...dom-amount-of-time-if-the-computed-random.patch | 72 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 3 files changed, 102 insertions(+)

diff --git a/debian/patches/0001-Clarify-lapse-time-with-large-number-of-keys-Closes-.patch b/debian/patches/0001-Clarify-lapse-time-with-large-number-of-keys-Closes-.patch
new file mode 100644
index 0000000..40a02b2
--- /dev/null
+++ b/debian/patches/0001-Clarify-lapse-time-with-large-number-of-keys-Closes-.patch
@@ -0,0 +1,28 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Fri, 7 Feb 2014 14:33:57 +0000
+Subject: Clarify lapse time with large number of keys (Closes: Debian#738004).
+Bug-Debian: http://bugs.debian.org/738004
+Origin: commit:e860a1e08eba7064094e83bab1e74086d10e5af3
+
+---
+ design.mdwn | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/design.mdwn b/design.mdwn
+index f2242ae..884d56c 100644
+--- a/design.mdwn
++++ b/design.mdwn
+@@ -79,10 +79,13 @@ in the keyring:
+ 
+    max(MaxCircuitDirtiness, rand(2 * ( seconds in a week / number of pubkeys )))
+ 
++Note that the MaxCircuitDirtiness value is 10 minutes in current Tor.
+ 
+ Examples:
+   - 50  public keys -> average lapse time =~ 200 min.
+   - 500 public keys -> average lapse time =~ 20 min.
++  - 5000 public keys -> lapse time = 10 min.
++  - 50000 public keys -> lapse time = 10 min.
+ 
+ Feedback to the user
+ ====================
diff --git a/debian/patches/0002-Sleep-a-random-amount-of-time-if-the-computed-random.patch b/debian/patches/0002-Sleep-a-random-amount-of-time-if-the-computed-random.patch
new file mode 100644
index 0000000..7db6c6f
--- /dev/null
+++ b/debian/patches/0002-Sleep-a-random-amount-of-time-if-the-computed-random.patch
@@ -0,0 +1,72 @@
+From: intrigeri <intrigeri at boum.org>
+Date: Sat, 8 Feb 2014 15:55:20 +0000
+Subject: Sleep a random amount of time if the computed random sleep time is
+ too low.
+Bug-Debian: http://bugs.debian.org/738134
+Origin: commit:8931fdcf868c37e2e8d44324d5514d235a6d5c89
+
+Previously, with a really large keyring (>= 1000 public keys), parcimonie would
+always sleep 10 minutes between two fetches. This is likely to be
+fingerprintable by an adversary who can watch many such fetches. Such an
+adversary is part of the parcimonie threat model, so this kinda defeats the
+usefulness of parcimonie for such use cases.
+
+Therefore, when the computed amount of (random) sleep time is too low (that is,
+smaller than Tor's MaxCircuitDirtiness), we instead sleep a random amount of
+time between minimum_lapse_time and 2 * minimum_lapse_time.
+---
+ design.mdwn                  |  9 ++++++---
+ lib/App/Parcimonie/Daemon.pm | 10 +++++++---
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/design.mdwn b/design.mdwn
+index 884d56c..0376d43 100644
+--- a/design.mdwn
++++ b/design.mdwn
+@@ -77,15 +77,18 @@ parcimonie sleeps a random amount of time between every key fetch;
+ this lapse time is computed in function of the number of public keys
+ in the keyring:
+ 
+-   max(MaxCircuitDirtiness, rand(2 * ( seconds in a week / number of pubkeys )))
++   if rand(2 * (seconds in a week / number of pubkeys)) >= MaxCircuitDirtiness:
++       rand(2 * (seconds in a week / number of pubkeys))
++   else:
++       MaxCircuitDirtiness + rand(MaxCircuitDirtiness)
+ 
+ Note that the MaxCircuitDirtiness value is 10 minutes in current Tor.
+ 
+ Examples:
+   - 50  public keys -> average lapse time =~ 200 min.
+   - 500 public keys -> average lapse time =~ 20 min.
+-  - 5000 public keys -> lapse time = 10 min.
+-  - 50000 public keys -> lapse time = 10 min.
++  - 5000 public keys -> lapse time = 10 min. + rand(10 min.)
++  - 50000 public keys -> lapse time = 10 min. + rand(10 min.)
+ 
+ Feedback to the user
+ ====================
+diff --git a/lib/App/Parcimonie/Daemon.pm b/lib/App/Parcimonie/Daemon.pm
+index f19e4ac..15b62c2 100644
+--- a/lib/App/Parcimonie/Daemon.pm
++++ b/lib/App/Parcimonie/Daemon.pm
+@@ -277,13 +277,17 @@ sub next_sleep_time {
+             $self->average_lapse_time
+             : averageLapseTime($num_public_keys);
+ 
+-    $self->debug(sprintf('Using %s seconds as average sleep time.',
+-                         $average_lapse_time
++    my $fallback_lapse_time = $self->minimum_lapse_time
++                            + rand($self->minimum_lapse_time);
++
++    $self->debug(sprintf('Using %s seconds as average sleep time, '.
++                         'and %s seconds as fallback sleep time.',
++                         $average_lapse_time, $fallback_lapse_time
+     ));
+ 
+     my $next_sleep_time = rand(2 * $average_lapse_time);
+     if ($next_sleep_time < $self->minimum_lapse_time) {
+-        $next_sleep_time = $self->minimum_lapse_time;
++        $next_sleep_time = $fallback_lapse_time;
+     }
+     return $next_sleep_time;
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1221edd
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+0001-Clarify-lapse-time-with-large-number-of-keys-Closes-.patch
+0002-Sleep-a-random-amount-of-time-if-the-computed-random.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/parcimonie.git

More information about the Pkg-privacy-commits mailing list