| 1 |
On Sun, Sep 14, 2014 at 07:13:21PM -0400, Rich Freeman wrote: |
| 2 |
> The only thing that gets signed is the commit message, and the only |
| 3 |
> thing that ties the commit message to the code is the sha1 of the |
| 4 |
> top-level tree. If you can attack sha1 either at any tree level or at |
| 5 |
> the blob level you can defeat the signature. |
| 6 |
> |
| 7 |
> That is way better than nothing though - I think it is worth pursuing |
| 8 |
> until somebody comes up with a way to upgrade git to more secure |
| 9 |
> hashes. Most projects don't gpg sign their trees at all, including |
| 10 |
> linux. |
| 11 |
|
| 12 |
I'm not worried about the attack (as I explained earlier in this |
| 13 |
thread). I'm just arguing for signing first-parent commits to master, |
| 14 |
and not worrying about signatures on any side-branch commits. So long |
| 15 |
as the merge gets signed, you've got all the security you're going to |
| 16 |
get. Leaving the side-branch commits unchanged allows you to preserve |
| 17 |
any non-dev commit hashes, which makes it easier for contributors to |
| 18 |
verify that their changes have landed (the same way that GitHub is |
| 19 |
checking to know when to automatically close pull requests). |
| 20 |
|
| 21 |
Cheers, |
| 22 |
Trevor |
| 23 |
|
| 24 |
-- |
| 25 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
| 26 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |
Archives