Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-scm
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-scm@g.o
From: Robert Buchholz <rbu@g.o>
Subject: gpg signing of commits, was: Progress summary, 2009/06/01
Date: Fri, 5 Jun 2009 14:59:18 +0200
Hey Robin,

thanks for the summary.


On Tuesday 02 June 2009, Robin H. Johnson wrote:
> - Review commit signing
>   - pclouds (a former Gentoo dev) contributed this prototype:
> 	http://thread.gmane.org/gmane.comp.version-control.git/115562/focus=
>118788 - I'm not entirely convinced the above is right, as the commit
> message seems to end up unsigned.

I was wondering why we need GPG signing of commits at all. I was 
thinking about the following two arguments:

0. Intro
git stores the SHA1 hashes of objects and one can check for errors in 
the transmission or on the disk. This makes the (unsigned) Manifest 
parts unnecessary. Commit signing is the equivalent of Manifest file 
signing we have right now.

1. It's not needed for tree signing
The tree signing GLEP does not require signing of either commits or 
Manifests. It relies on the main infra repository is not being 
compromised.

2. It is not well designed (cryptographically)
OpenGPG allows the usage of a set of cryptographic hash function to sign 
a document. This allows people to switch to a different function once 
attacks against one algorithm become known. This has been recently seen 
with SHA-1: http://www.debian-administration.org/users/dkg/weblog/48

The git signing, however, relies on the collision resistance of SHA-1 as 
that algorithm is used to identify objects in the repository. We cannot 
migrate away from it easily. This has been discussed upstream at length 
and Linus pointed out that 'the "signed tags" security does depend on 
the hashes being cryptographically strong.':
http://thread.gmane.org/gmane.comp.version-control.git/26106/focus=26125


What if we just drop the commit signing and coresponding hooks, and 
focus on the tree signing and push logging even though we use gitosis ?


Robert
Attachment:
signature.asc (This is a digitally signed message part.)
Replies:
Re: gpg signing of commits, was: Progress summary, 2009/06/01
-- Robin H. Johnson
References:
Progress summary, 2009/06/01
-- Robin H. Johnson
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Progress summary, 2009/06/01
Next by thread:
Re: gpg signing of commits, was: Progress summary, 2009/06/01
Previous by date:
Progress summary, 2009/06/01
Next by date:
Re: gpg signing of commits, was: Progress summary, 2009/06/01


Updated Jun 17, 2009

Summary: Archive of the gentoo-scm mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.