List Archive: gentoo-scm
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
thanks for the summary.
On Tuesday 02 June 2009, Robin H. Johnson wrote:
> - Review commit signing
> - pclouds (a former Gentoo dev) contributed this prototype:
>118788 - I'm not entirely convinced the above is right, as the commit
> message seems to end up unsigned.
I was wondering why we need GPG signing of commits at all. I was
thinking about the following two arguments:
git stores the SHA1 hashes of objects and one can check for errors in
the transmission or on the disk. This makes the (unsigned) Manifest
parts unnecessary. Commit signing is the equivalent of Manifest file
signing we have right now.
1. It's not needed for tree signing
The tree signing GLEP does not require signing of either commits or
Manifests. It relies on the main infra repository is not being
2. It is not well designed (cryptographically)
OpenGPG allows the usage of a set of cryptographic hash function to sign
a document. This allows people to switch to a different function once
attacks against one algorithm become known. This has been recently seen
with SHA-1: http://www.debian-administration.org/users/dkg/weblog/48
The git signing, however, relies on the collision resistance of SHA-1 as
that algorithm is used to identify objects in the repository. We cannot
migrate away from it easily. This has been discussed upstream at length
and Linus pointed out that 'the "signed tags" security does depend on
the hashes being cryptographically strong.':
What if we just drop the commit signing and coresponding hooks, and
focus on the tree signing and push logging even though we use gitosis ?
signature.asc (This is a digitally signed message part.)