1 |
On Sun, Sep 14, 2014 at 07:13:21PM -0400, Rich Freeman wrote: |
2 |
> The only thing that gets signed is the commit message, and the only |
3 |
> thing that ties the commit message to the code is the sha1 of the |
4 |
> top-level tree. If you can attack sha1 either at any tree level or at |
5 |
> the blob level you can defeat the signature. |
6 |
> |
7 |
> That is way better than nothing though - I think it is worth pursuing |
8 |
> until somebody comes up with a way to upgrade git to more secure |
9 |
> hashes. Most projects don't gpg sign their trees at all, including |
10 |
> linux. |
11 |
|
12 |
I'm not worried about the attack (as I explained earlier in this |
13 |
thread). I'm just arguing for signing first-parent commits to master, |
14 |
and not worrying about signatures on any side-branch commits. So long |
15 |
as the merge gets signed, you've got all the security you're going to |
16 |
get. Leaving the side-branch commits unchanged allows you to preserve |
17 |
any non-dev commit hashes, which makes it easier for contributors to |
18 |
verify that their changes have landed (the same way that GitHub is |
19 |
checking to know when to automatically close pull requests). |
20 |
|
21 |
Cheers, |
22 |
Trevor |
23 |
|
24 |
-- |
25 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
26 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |