1 |
On Mon, Jun 04, 2012 at 08:45:42PM +0200, Dirkjan Ochtman wrote: |
2 |
> On Mon, Jun 4, 2012 at 7:25 PM, Rich Freeman <rich0@g.o> wrote: |
3 |
> > Anything we do has to be automated to be of any real value. ??Ideally |
4 |
> > if something goes wrong it should be as detectable as possible. |
5 |
> |
6 |
> Yeah, but you'd have to part of that at every developer's box. |
7 |
> |
8 |
> Can we just agree that having the tip of the main tree always signed |
9 |
> will be enough for now, and postpone the rest of the discussion until |
10 |
> later? |
11 |
|
12 |
ToT is always going to be signed. If it *isn't* signed, either the |
13 |
infra machinery is broken and not rejecting commits that it should |
14 |
reject, or someone is trojaning the repo (either via an infra |
15 |
compromise, local compromise, or via man in the middle). |
16 |
|
17 |
One thing people need to keep in mind here is that when you sign the |
18 |
commit, you're signing off on the history implicitly. Directly |
19 |
addressing freeman's comment about "people sign the manifest but don't |
20 |
look at what they're signing", when it comes to git signage, bluntly, |
21 |
people doing that shouldn't have access- if they can't be arsed to |
22 |
validate what they're signing, then trusting them w/ the tree is |
23 |
probably questionable. |
24 |
|
25 |
Harsh, but frankly, sane people don't sign enforcable contracts w/out |
26 |
verifying what they're signing (note the 'enforcable' bit, stated to |
27 |
head off the EULA rathole discussion); this isn't any different |
28 |
frankly. |
29 |
|
30 |
~harring |