Gentoo Archives: gentoo-dev

From: Dirkjan Ochtman <djc@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Date: Mon, 04 Jun 2012 16:29:16
Message-Id: CAKmKYaDZPGD1TEfjPaqTLg_+poE6hQiZU=wEBNPgaGHk+BRL3w@mail.gmail.com
In Reply to: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing by Rich Freeman
On Mon, Jun 4, 2012 at 6:06 PM, Rich Freeman <rich0@g.o> wrote:
> Again, we don't need to be there 100% to go live.  However, I think > that was the whole point of signing commits.  If we aren't going to > add any assurance at all with our signing practices, then there isn't > much point in having them.
True. However, I still think my idea of security (the tip of tree must always be signed by a gentoo.org committer) and your idea of security (every cset must be signed by a gentoo.org committer) give similar security guarantees in the end. Any user will rely on the last committer to have faithfully signed for an uncompromised tree. Any committer will rely on the previous committer to have faithfully signed for an uncompromised tree. So to prevent your scenario, we'd have to get everyone to check the signature of the tip of tree they pulled before committing/merging. Having every cset signed is something that might make verification slightly easier, but having all previous tips signed (i.e. merges) should be sufficient (if we can rely on committers to review changesets from other committers they pull from). Cheers, Dirkjan

Replies

Subject Author
Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing Rich Freeman <rich0@g.o>