Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Mon, 4 Jun 2012 16:57:42 -0400
On Mon, Jun 4, 2012 at 4:41 PM, Brian Harring <ferringb@...> wrote:
>
> If that doesn't answer your question/concerns, be more explicit
> please.

How about a scenario:

1.  Gentoo dev commits a bunch of stuff to the tree.  Top of tree is signed.
2.  Hacker commits something to the tree.  Top of tree is not signed.
No need for preimage attacks or whatever on sha1 - they just log into
the server and do a git commit or whatever right into the tree.
3.  Gentoo dev commits a bunch of stuff to the tree.  Top of tree is signed.
4.  Rsync mirror update happens - top of tree is signed, so update
proceeds normally.

If you go back and look at the tree you see a bunch of signed and
unsigned commits.  How do you easily detect how the unsigned ones got
there (via a dev with a merge commit, or via other means)?  Either way
they'll be parents of merge commits - since merge commits have two
parents - the pre-commit gentoo-x86 tree, and the incoming commits.

Andreas - I'm pretty sure a merge commit still includes a tree.

Rich


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- W. Trevor King
Re: Git braindump: 1 of N: merging & git signing
-- Michał Górny
References:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: Re: Git braindump: 1 of N: merging & git signing
Next by date:
Re: Git braindump: 1 of N: merging & git signing


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.