1 |
On Mon, Jun 4, 2012 at 6:06 PM, Rich Freeman <rich0@g.o> wrote: |
2 |
> Again, we don't need to be there 100% to go live. However, I think |
3 |
> that was the whole point of signing commits. If we aren't going to |
4 |
> add any assurance at all with our signing practices, then there isn't |
5 |
> much point in having them. |
6 |
|
7 |
True. However, I still think my idea of security (the tip of tree must |
8 |
always be signed by a gentoo.org committer) and your idea of security |
9 |
(every cset must be signed by a gentoo.org committer) give similar |
10 |
security guarantees in the end. Any user will rely on the last |
11 |
committer to have faithfully signed for an uncompromised tree. Any |
12 |
committer will rely on the previous committer to have faithfully |
13 |
signed for an uncompromised tree. So to prevent your scenario, we'd |
14 |
have to get everyone to check the signature of the tip of tree they |
15 |
pulled before committing/merging. Having every cset signed is |
16 |
something that might make verification slightly easier, but having all |
17 |
previous tips signed (i.e. merges) should be sufficient (if we can |
18 |
rely on committers to review changesets from other committers they |
19 |
pull from). |
20 |
|
21 |
Cheers, |
22 |
|
23 |
Dirkjan |