Archives
Archives
| From: | Matthias Maier <tamiko@g.o> | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] Re: rsync mirror security | ||
| Date: | Tue, 11 Aug 2015 03:44:55 | ||
| Message-Id: | 87oaiewkt2.fsf@jackdaw.kyomu.43-1.org | ||
| In Reply to: | Re: [gentoo-dev] Re: rsync mirror security by Kent Fredric |
||
| 1 | > That is, I was under the impression signing a tag only signs the |
| 2 | > references themselves, and then relies on SHA1 referential integrity |
| 3 | > beyond that. |
| 4 | |
| 5 | No, a signed tag verifies that the whole integrirty of the entire |
| 6 | repository, whereas a signed commit only authenticates the differences |
| 7 | introduced by a single commit. |
| 8 | |
| 9 | As long as there are no conflicts, a signed commit can be rebased |
| 10 | freely (especially also on top of malicious commits...). |
| 11 | |
| 12 | Best, |
| 13 | Matthias |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Re: rsync mirror security | Kent Fredric <kentfredric@×××××.com> |
| Re: [gentoo-dev] Re: rsync mirror security | Rich Freeman <rich0@g.o> |