Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Michał Górny <mgorny@g.o>
From: Rich Freeman <rich0@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Tue, 5 Jun 2012 10:15:28 -0400
On Tue, Jun 5, 2012 at 2:50 AM, Michał Górny <mgorny@g.o> wrote:
> On Mon, 4 Jun 2012 16:57:42 -0400
> Rich Freeman <rich0@g.o> wrote:
>
>> If you go back and look at the tree you see a bunch of signed and
>> unsigned commits.  How do you easily detect how the unsigned ones got
>> there (via a dev with a merge commit, or via other means)?
>
> Well, that's not a very good solution but the server-side hooks could
> also verify the tree state before applying new commits.

The obvious problem with this is that it makes the git server a single
point of failure - if it is compromised the hooks will not help.
Hooks should nevertheless be there to eliminate mistakes.

Note that in no way are any of these git flaws any worse than the
status quo.  I just want to avoid any false sense of security.  I
think these are flaws that are worth fixing, and I think that was why
many have labored to get the signing enabled in git in the first
place.

My suggestion is to keep working on this, but it shouldn't be
considered a blocker for adoption, since these are not new security
flaws, and if anything despite its holes git is an improvement.

Rich


References:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Michał Górny
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: About forcing rebuilds of other packages issue
Next by date:
x32 release candidate


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.