| 1 |
On Fri, Jul 3, 2015 at 5:40 PM, Robin H. Johnson <robbat2@g.o> wrote: |
| 2 |
> On Sat, Jul 04, 2015 at 12:19:41AM +0300, Andrew Savchenko wrote: |
| 3 |
>> As I see from git docs only commits and tags may be signed. There |
| 4 |
>> is no way to sign a push. Moreover there is no need to sign each |
| 5 |
>> commit, see what Linux says on that: |
| 6 |
>> http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html |
| 7 |
> That was Linus's 2009 opinion, and he changed his mind since then, with |
| 8 |
> the research into further attacks on SHA1. |
| 9 |
> |
| 10 |
|
| 11 |
A few things. I agree with where you're going, Robin, but I do take |
| 12 |
issue with just one bit of your email. |
| 13 |
|
| 14 |
First, signing commits in no way protects against attacks on SHA1. |
| 15 |
The only thing that binds a commit record to the actual data in the |
| 16 |
tree is an SHA1 hash. If you are able to break SHA1 then all you need |
| 17 |
to do is tamper with a file in the tree however you want, then add or |
| 18 |
tamper with another file anywhere else in the tree such that the two |
| 19 |
changes "cancel each other out" and result in the same SHA1 hash. |
| 20 |
Then you swap out any blobs/trees you modified in the repository and |
| 21 |
nobody is the wiser, especially with something like Gentoo where you |
| 22 |
can stick something in a random filesdir anywhere in the tree where |
| 23 |
nobody will notice it for a long time. The commit record itself is |
| 24 |
not touched, so its signature verifies just fine. |
| 25 |
|
| 26 |
That said, I do support commit signing. It makes a lot more sense for |
| 27 |
a project like Gentoo than a project like Linux. |
| 28 |
|
| 29 |
With Linux, the distributed repositories everybody actually uses have |
| 30 |
only one committer each for the most part. The only person who |
| 31 |
commits to mainline is Linus himself. Then there is a release process |
| 32 |
where all the commits for the week go out with a git tag, which is |
| 33 |
signed. Linus basically does the final QA on the mainline kernel |
| 34 |
before it is released, and he assumes responsibility for every commit |
| 35 |
that went into it. |
| 36 |
|
| 37 |
In contrast, Gentoo has numerous committers and changes go right from |
| 38 |
the dev's repository to every user's desktop. When I make a commit |
| 39 |
I'm only responsible for my own change - I don't do QA on the last 47 |
| 40 |
commits other random devs have made. So, if the last commit doesn't |
| 41 |
interact with mine in any way, chances are I won't do any testing of |
| 42 |
it at all before I add my own signature - I won't even run repoman on |
| 43 |
the entire tree. So, a dev's commit signature is really a stamp of |
| 44 |
quality on the diff between their commit and the last, not the tree as |
| 45 |
a whole. So, it really makes sense to the signing at the commit |
| 46 |
level, and not at some higher level. In fact, to do the signing at a |
| 47 |
higher level really does amount to rubber-stamping changes in a way |
| 48 |
that commit signing does not, based on how we assign responsibility. |
| 49 |
|
| 50 |
If we were a release-based distro then tag signing would be much more important. |
| 51 |
|
| 52 |
Finally, signing commits is really cheap, so why not just do it? |
| 53 |
|
| 54 |
-- |
| 55 |
Rich |
Archives