Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Dirkjan Ochtman <djc@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Mon, 4 Jun 2012 17:02:08 +0200
On Mon, Jun 4, 2012 at 4:48 PM, Rich Freeman <rich0@g.o> wrote:
> When I do a cvs commit, I don't check the logs to make sure the last
> 25 commits all look valid.  So, why would I expect others to do any
> differently in git.  I make my changes, I run a git pull (bringing in
> the hacked commit on gentoo-x86 master), and then merge/rebase in my
> changes, signing my commit (which indicates that what _I_ just
> commited is good, not that everything before is good).  I am not the
> one commiting in hacked files - they were there before I got there.

If the tree was bad before you pushed, then it's not your fault the
tree is bad. You're only responsible for the commits you bring into
the tree, so if you're merging contributor's unsigned changesets, you
merge them with a signature of your own.

>> Of course, we'd have to make sure the tip of whatever is pushed is
>> always signed, but the hook for that should be trivial.
>
> Yup, but the hacker wouldn't run the hook.

If the hacker has unfettered access to the server where the repository
lives, we probably have bigger problems, as they can get whatever
rsynced to all our users. I guess we could have rsync process check
that the cset it's about to push out to mirrors is signed?

Cheers,

Dirkjan


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
References:
Git braindump: 1 of N: merging & git signing
-- Robin H. Johnson
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: Git braindump: 1 of N: merging & git signing
Next by date:
Re: [PATCH vcs-snapshot] Use ${WORKDIR}/${P} rather than ${S} to support ${S} overrides.


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.