1 |
Hey Robin, |
2 |
|
3 |
thanks for the summary. |
4 |
|
5 |
|
6 |
On Tuesday 02 June 2009, Robin H. Johnson wrote: |
7 |
> - Review commit signing |
8 |
> - pclouds (a former Gentoo dev) contributed this prototype: |
9 |
> http://thread.gmane.org/gmane.comp.version-control.git/115562/focus= |
10 |
>118788 - I'm not entirely convinced the above is right, as the commit |
11 |
> message seems to end up unsigned. |
12 |
|
13 |
I was wondering why we need GPG signing of commits at all. I was |
14 |
thinking about the following two arguments: |
15 |
|
16 |
0. Intro |
17 |
git stores the SHA1 hashes of objects and one can check for errors in |
18 |
the transmission or on the disk. This makes the (unsigned) Manifest |
19 |
parts unnecessary. Commit signing is the equivalent of Manifest file |
20 |
signing we have right now. |
21 |
|
22 |
1. It's not needed for tree signing |
23 |
The tree signing GLEP does not require signing of either commits or |
24 |
Manifests. It relies on the main infra repository is not being |
25 |
compromised. |
26 |
|
27 |
2. It is not well designed (cryptographically) |
28 |
OpenGPG allows the usage of a set of cryptographic hash function to sign |
29 |
a document. This allows people to switch to a different function once |
30 |
attacks against one algorithm become known. This has been recently seen |
31 |
with SHA-1: http://www.debian-administration.org/users/dkg/weblog/48 |
32 |
|
33 |
The git signing, however, relies on the collision resistance of SHA-1 as |
34 |
that algorithm is used to identify objects in the repository. We cannot |
35 |
migrate away from it easily. This has been discussed upstream at length |
36 |
and Linus pointed out that 'the "signed tags" security does depend on |
37 |
the hashes being cryptographically strong.': |
38 |
http://thread.gmane.org/gmane.comp.version-control.git/26106/focus=26125 |
39 |
|
40 |
|
41 |
What if we just drop the commit signing and coresponding hooks, and |
42 |
focus on the tree signing and push logging even though we use gitosis ? |
43 |
|
44 |
|
45 |
Robert |