| 1 |
Hey Robin, |
| 2 |
|
| 3 |
thanks for the summary. |
| 4 |
|
| 5 |
|
| 6 |
On Tuesday 02 June 2009, Robin H. Johnson wrote: |
| 7 |
> - Review commit signing |
| 8 |
> - pclouds (a former Gentoo dev) contributed this prototype: |
| 9 |
> http://thread.gmane.org/gmane.comp.version-control.git/115562/focus= |
| 10 |
>118788 - I'm not entirely convinced the above is right, as the commit |
| 11 |
> message seems to end up unsigned. |
| 12 |
|
| 13 |
I was wondering why we need GPG signing of commits at all. I was |
| 14 |
thinking about the following two arguments: |
| 15 |
|
| 16 |
0. Intro |
| 17 |
git stores the SHA1 hashes of objects and one can check for errors in |
| 18 |
the transmission or on the disk. This makes the (unsigned) Manifest |
| 19 |
parts unnecessary. Commit signing is the equivalent of Manifest file |
| 20 |
signing we have right now. |
| 21 |
|
| 22 |
1. It's not needed for tree signing |
| 23 |
The tree signing GLEP does not require signing of either commits or |
| 24 |
Manifests. It relies on the main infra repository is not being |
| 25 |
compromised. |
| 26 |
|
| 27 |
2. It is not well designed (cryptographically) |
| 28 |
OpenGPG allows the usage of a set of cryptographic hash function to sign |
| 29 |
a document. This allows people to switch to a different function once |
| 30 |
attacks against one algorithm become known. This has been recently seen |
| 31 |
with SHA-1: http://www.debian-administration.org/users/dkg/weblog/48 |
| 32 |
|
| 33 |
The git signing, however, relies on the collision resistance of SHA-1 as |
| 34 |
that algorithm is used to identify objects in the repository. We cannot |
| 35 |
migrate away from it easily. This has been discussed upstream at length |
| 36 |
and Linus pointed out that 'the "signed tags" security does depend on |
| 37 |
the hashes being cryptographically strong.': |
| 38 |
http://thread.gmane.org/gmane.comp.version-control.git/26106/focus=26125 |
| 39 |
|
| 40 |
|
| 41 |
What if we just drop the commit signing and coresponding hooks, and |
| 42 |
focus on the tree signing and push logging even though we use gitosis ? |
| 43 |
|
| 44 |
|
| 45 |
Robert |
Archives