| 1 |
On Mon, Jun 04, 2012 at 08:45:42PM +0200, Dirkjan Ochtman wrote: |
| 2 |
> On Mon, Jun 4, 2012 at 7:25 PM, Rich Freeman <rich0@g.o> wrote: |
| 3 |
> > Anything we do has to be automated to be of any real value. ??Ideally |
| 4 |
> > if something goes wrong it should be as detectable as possible. |
| 5 |
> |
| 6 |
> Yeah, but you'd have to part of that at every developer's box. |
| 7 |
> |
| 8 |
> Can we just agree that having the tip of the main tree always signed |
| 9 |
> will be enough for now, and postpone the rest of the discussion until |
| 10 |
> later? |
| 11 |
|
| 12 |
ToT is always going to be signed. If it *isn't* signed, either the |
| 13 |
infra machinery is broken and not rejecting commits that it should |
| 14 |
reject, or someone is trojaning the repo (either via an infra |
| 15 |
compromise, local compromise, or via man in the middle). |
| 16 |
|
| 17 |
One thing people need to keep in mind here is that when you sign the |
| 18 |
commit, you're signing off on the history implicitly. Directly |
| 19 |
addressing freeman's comment about "people sign the manifest but don't |
| 20 |
look at what they're signing", when it comes to git signage, bluntly, |
| 21 |
people doing that shouldn't have access- if they can't be arsed to |
| 22 |
validate what they're signing, then trusting them w/ the tree is |
| 23 |
probably questionable. |
| 24 |
|
| 25 |
Harsh, but frankly, sane people don't sign enforcable contracts w/out |
| 26 |
verifying what they're signing (note the 'enforcable' bit, stated to |
| 27 |
head off the EULA rathole discussion); this isn't any different |
| 28 |
frankly. |
| 29 |
|
| 30 |
~harring |
Archives