Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Mon, 4 Jun 2012 10:48:21 -0400
On Mon, Jun 4, 2012 at 10:26 AM, Dirkjan Ochtman <djc@g.o> wrote:
> On Mon, Jun 4, 2012 at 4:18 PM, Rich Freeman <rich0@g.o> wrote:
>> How do you KNOW that the nearest signed descendant actually merged it?
>>
>> How do you know it wasn't added by a hacker?
>
> Because then the signature for the nearest signed descendant wouldn't
> check out (unless it got hacked before he signed it, of course, but in
> that case hopefully he wouldn't sign it...).

When I do a cvs commit, I don't check the logs to make sure the last
25 commits all look valid.  So, why would I expect others to do any
differently in git.  I make my changes, I run a git pull (bringing in
the hacked commit on gentoo-x86 master), and then merge/rebase in my
changes, signing my commit (which indicates that what _I_ just
commited is good, not that everything before is good).  I am not the
one commiting in hacked files - they were there before I got there.

>
> Of course, we'd have to make sure the tip of whatever is pushed is
> always signed, but the hook for that should be trivial.

Yup, but the hacker wouldn't run the hook.

Rich


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
References:
Git braindump: 1 of N: merging & git signing
-- Robin H. Johnson
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: Git braindump: 1 of N: merging & git signing
Next by date:
Re: Git braindump: 1 of N: merging & git signing


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.