From ba153eff996c278e4fb2db71dc038c97d56684af Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 21 May 2015 10:12:23 +0100
Subject: New approach to replay prevention - WIP

---
 infra/dgit-repos-server | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'infra/dgit-repos-server')

diff --git a/infra/dgit-repos-server b/infra/dgit-repos-server
index ab83136..f2f3088 100755
--- a/infra/dgit-repos-server
+++ b/infra/dgit-repos-server
@@ -632,11 +632,21 @@ sub checksuite () {
 }
 
 sub checktagnoreplay () {
+    # We need to prevent a replay attack using an earlier signed tag.
+    # We also want to archive in the history anything 
+    #
     # We check that the signed tag mentions the name and tag object id of
-    # (a) in the case of FRESHREPO all tags in the repo;
-    # (b) in the case of just NOFFCHECK all tags referring to
+    #
+    # (a) In the case of FRESHREPO all tags and refs/heads/heads in the
+    #     repo.  That is, effectively, all the things we are deleting.
+    #     This prevents any tag implying a FRESHREPO push being replayed
+    #     into a different state of the repo.
+    #
+    # (b) In the case of just NOFFCHECK all tags referring to
     #     the current head for the suite (there must be at least one).
-    # This prevents a replay attack using an earlier signed tag.
+    #     This guarantees that the 
+    #
+    # 
     return unless $policy & (FRESHREPO|NOFFCHECK);
 
     my $garbagerepo = "$dgitrepos/${package}_garbage";
-- 
cgit v1.2.3