| 1 |
On 21 September 2014 09:01, hasufell <hasufell@g.o> wrote: |
| 2 |
|
| 3 |
> Because there are other VCSs it is not a bug?? |
| 4 |
> |
| 5 |
> |
| 6 |
No, it just means "using SHA1 for making a repository work" is not a bug, |
| 7 |
just like using "i am number 6, parent is number 5" is not a "security" bug. |
| 8 |
|
| 9 |
|
| 10 |
> Of course it is a bug since it is in the gpg-signing chain and to use it |
| 11 |
> in a practical way is very unlikely. |
| 12 |
> |
| 13 |
> |
| 14 |
Its only a bug in that we're intending to use it for something it was not |
| 15 |
designed for. SHA1s are not a security mechanism for Git. |
| 16 |
|
| 17 |
GPGs are not entirely useless there, just we're taking more meaning from it |
| 18 |
than it really supports. |
| 19 |
|
| 20 |
I literally read GPG as being no more evidence than proof that, "yes, I |
| 21 |
wrote that commit message, and I wrote that commit". It doesn't prove you |
| 22 |
made any of those dependencies ( because some of those dependencies is gits |
| 23 |
entire history of commits down the parent -> parent -> parent line ) |
| 24 |
|
| 25 |
|
| 26 |
> So you are suggesting to not migrate at all or severely break the |
| 27 |
> workflow because someone might forge _working code_ with a specific |
| 28 |
> SHA1? There is no efficient algorithm for that afaik, those are just |
| 29 |
> about finding _any_ collision and even then it takes considerable |
| 30 |
> resources that can be used to break gentoo in much easier ways. |
| 31 |
> |
| 32 |
|
| 33 |
He is proposing quite the opposite. He's saying "git is not secure in this |
| 34 |
way, but lets not let that stop us, migrate and fix that after the fact or |
| 35 |
we'll never get around to it, because all this debate is the perfect being |
| 36 |
the enemy of the good". |
| 37 |
|
| 38 |
Git is still more than adequately secure without GPG to defend against a |
| 39 |
whole bunch of attacks you'd need NSA grade stuff to attack as it is, and |
| 40 |
GPG on the commits themselves basically rules out the easiest place |
| 41 |
somebody *could* get things in without a GPG. |
| 42 |
|
| 43 |
That is to say: without gpg, you can just create some random commit with |
| 44 |
some arbitrary content and push it somewhere, and you can pretend you're a |
| 45 |
gentoo dev and pretend you're writing commits as them. |
| 46 |
|
| 47 |
GPG sufficiently prevents that from happening, and takes it from ameteur |
| 48 |
grade imposter requirements to NSA grade imposter requirements. And that's |
| 49 |
not a bad compromise for being imperfect. |
| 50 |
|
| 51 |
|
| 52 |
-- |
| 53 |
Kent |
| 54 |
|
| 55 |
*KENTNL* - https://metacpan.org/author/KENTNL |
Archives