Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Date: Mon, 04 Jun 2012 17:26:37
Message-Id: CAGfcS_mSg5nySMoph9MwNAWxtOJJd70PV6EBEC0e4OK9Z=F=-w@mail.gmail.com
In Reply to: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing by Dirkjan Ochtman
On Mon, Jun 4, 2012 at 12:19 PM, Dirkjan Ochtman <djc@g.o> wrote:
> So to prevent your scenario, we'd > have to get everyone to check the signature of the tip of tree they > pulled before committing/merging.
How can we be sure this has happened? This is the problem with signed manifests today. I can sign a manifest, but I didn't actually check all the files inside it, and the file might or might not have been signed before I modified it, and most likely I didn't even check the signature even if it was there. Anything we do has to be automated to be of any real value. Ideally if something goes wrong it should be as detectable as possible. Warts and all the current system hasn't broken down yet. However, if we ever did find out about an intrusion in our cvs repository, we'd essentially have to do a 100% code review to be sure it was OK, and that includes checking all tarballs on mirrors. With signed commits we could verify that the tree was intact, and if anything bad was found we could pinpoint exactly whose key was compromised and do a focused check on their commits. Rich

Replies

Subject Author
Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing Dirkjan Ochtman <djc@g.o>