1 |
On Fri, Jul 3, 2015 at 5:40 PM, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> On Sat, Jul 04, 2015 at 12:19:41AM +0300, Andrew Savchenko wrote: |
3 |
>> As I see from git docs only commits and tags may be signed. There |
4 |
>> is no way to sign a push. Moreover there is no need to sign each |
5 |
>> commit, see what Linux says on that: |
6 |
>> http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html |
7 |
> That was Linus's 2009 opinion, and he changed his mind since then, with |
8 |
> the research into further attacks on SHA1. |
9 |
> |
10 |
|
11 |
A few things. I agree with where you're going, Robin, but I do take |
12 |
issue with just one bit of your email. |
13 |
|
14 |
First, signing commits in no way protects against attacks on SHA1. |
15 |
The only thing that binds a commit record to the actual data in the |
16 |
tree is an SHA1 hash. If you are able to break SHA1 then all you need |
17 |
to do is tamper with a file in the tree however you want, then add or |
18 |
tamper with another file anywhere else in the tree such that the two |
19 |
changes "cancel each other out" and result in the same SHA1 hash. |
20 |
Then you swap out any blobs/trees you modified in the repository and |
21 |
nobody is the wiser, especially with something like Gentoo where you |
22 |
can stick something in a random filesdir anywhere in the tree where |
23 |
nobody will notice it for a long time. The commit record itself is |
24 |
not touched, so its signature verifies just fine. |
25 |
|
26 |
That said, I do support commit signing. It makes a lot more sense for |
27 |
a project like Gentoo than a project like Linux. |
28 |
|
29 |
With Linux, the distributed repositories everybody actually uses have |
30 |
only one committer each for the most part. The only person who |
31 |
commits to mainline is Linus himself. Then there is a release process |
32 |
where all the commits for the week go out with a git tag, which is |
33 |
signed. Linus basically does the final QA on the mainline kernel |
34 |
before it is released, and he assumes responsibility for every commit |
35 |
that went into it. |
36 |
|
37 |
In contrast, Gentoo has numerous committers and changes go right from |
38 |
the dev's repository to every user's desktop. When I make a commit |
39 |
I'm only responsible for my own change - I don't do QA on the last 47 |
40 |
commits other random devs have made. So, if the last commit doesn't |
41 |
interact with mine in any way, chances are I won't do any testing of |
42 |
it at all before I add my own signature - I won't even run repoman on |
43 |
the entire tree. So, a dev's commit signature is really a stamp of |
44 |
quality on the diff between their commit and the last, not the tree as |
45 |
a whole. So, it really makes sense to the signing at the commit |
46 |
level, and not at some higher level. In fact, to do the signing at a |
47 |
higher level really does amount to rubber-stamping changes in a way |
48 |
that commit signing does not, based on how we assign responsibility. |
49 |
|
50 |
If we were a release-based distro then tag signing would be much more important. |
51 |
|
52 |
Finally, signing commits is really cheap, so why not just do it? |
53 |
|
54 |
-- |
55 |
Rich |