Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Brian Harring <ferringb@...>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Mon, 4 Jun 2012 12:10:00 -0700
On Mon, Jun 04, 2012 at 08:45:42PM +0200, Dirkjan Ochtman wrote:
> On Mon, Jun 4, 2012 at 7:25 PM, Rich Freeman <rich0@g.o> wrote:
> > Anything we do has to be automated to be of any real value. ??Ideally
> > if something goes wrong it should be as detectable as possible.
> 
> Yeah, but you'd have to part of that at every developer's box.
> 
> Can we just agree that having the tip of the main tree always signed
> will be enough for now, and postpone the rest of the discussion until
> later?

ToT is always going to be signed.  If it *isn't* signed, either the 
infra machinery is broken and not rejecting commits that it should 
reject, or someone is trojaning the repo (either via an infra 
compromise, local compromise, or via man in the middle).

One thing people need to keep in mind here is that when you sign the 
commit, you're signing off on the history implicitly.  Directly 
addressing freeman's comment about "people sign the manifest but don't 
look at what they're signing", when it comes to git signage, bluntly, 
people doing that shouldn't have access- if they can't be arsed to 
validate what they're signing, then trusting them w/ the tree is 
probably questionable.

Harsh, but frankly, sane people don't sign enforcable contracts w/out 
verifying what they're signing (note the 'enforcable' bit, stated to 
head off the EULA rathole discussion); this isn't any different 
frankly.

~harring


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
References:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: Git braindump: 1 of N: merging & git signing
Next by date:
Re: Git braindump: 1 of N: merging & git signing


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.