From: | Matthias Maier <tamiko@g.o> | ||
---|---|---|---|
To: | gentoo-dev@l.g.o | ||
Subject: | Re: [gentoo-dev] Re: rsync mirror security | ||
Date: | Tue, 11 Aug 2015 03:44:55 | ||
Message-Id: | 87oaiewkt2.fsf@jackdaw.kyomu.43-1.org | ||
In Reply to: | Re: [gentoo-dev] Re: rsync mirror security by Kent Fredric |
1 | > That is, I was under the impression signing a tag only signs the |
2 | > references themselves, and then relies on SHA1 referential integrity |
3 | > beyond that. |
4 | |
5 | No, a signed tag verifies that the whole integrirty of the entire |
6 | repository, whereas a signed commit only authenticates the differences |
7 | introduced by a single commit. |
8 | |
9 | As long as there are no conflicts, a signed commit can be rebased |
10 | freely (especially also on top of malicious commits...). |
11 | |
12 | Best, |
13 | Matthias |
Subject | Author |
---|---|
Re: [gentoo-dev] Re: rsync mirror security | Kent Fredric <kentfredric@×××××.com> |
Re: [gentoo-dev] Re: rsync mirror security | Rich Freeman <rich0@g.o> |