Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Dirkjan Ochtman <djc@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Mon, 4 Jun 2012 18:19:26 +0200
On Mon, Jun 4, 2012 at 6:06 PM, Rich Freeman <rich0@g.o> wrote:
> Again, we don't need to be there 100% to go live.  However, I think
> that was the whole point of signing commits.  If we aren't going to
> add any assurance at all with our signing practices, then there isn't
> much point in having them.

True. However, I still think my idea of security (the tip of tree must
always be signed by a gentoo.org committer) and your idea of security
(every cset must be signed by a gentoo.org committer) give similar
security guarantees in the end. Any user will rely on the last
committer to have faithfully signed for an uncompromised tree. Any
committer will rely on the previous committer to have faithfully
signed for an uncompromised tree. So to prevent your scenario, we'd
have to get everyone to check the signature of the tip of tree they
pulled before committing/merging. Having every cset signed is
something that might make verification slightly easier, but having all
previous tips signed (i.e. merges) should be sufficient (if we can
rely on committers to review changesets from other committers they
pull from).

Cheers,

Dirkjan


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
References:
Git braindump: 1 of N: merging & git signing
-- Robin H. Johnson
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: Git braindump: 1 of N: merging & git signing
Next by date:
Re: Git braindump: 1 of N: merging & git signing


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.