| 1 |
On Mon, Jun 4, 2012 at 6:06 PM, Rich Freeman <rich0@g.o> wrote: |
| 2 |
> Again, we don't need to be there 100% to go live. However, I think |
| 3 |
> that was the whole point of signing commits. If we aren't going to |
| 4 |
> add any assurance at all with our signing practices, then there isn't |
| 5 |
> much point in having them. |
| 6 |
|
| 7 |
True. However, I still think my idea of security (the tip of tree must |
| 8 |
always be signed by a gentoo.org committer) and your idea of security |
| 9 |
(every cset must be signed by a gentoo.org committer) give similar |
| 10 |
security guarantees in the end. Any user will rely on the last |
| 11 |
committer to have faithfully signed for an uncompromised tree. Any |
| 12 |
committer will rely on the previous committer to have faithfully |
| 13 |
signed for an uncompromised tree. So to prevent your scenario, we'd |
| 14 |
have to get everyone to check the signature of the tip of tree they |
| 15 |
pulled before committing/merging. Having every cset signed is |
| 16 |
something that might make verification slightly easier, but having all |
| 17 |
previous tips signed (i.e. merges) should be sufficient (if we can |
| 18 |
rely on committers to review changesets from other committers they |
| 19 |
pull from). |
| 20 |
|
| 21 |
Cheers, |
| 22 |
|
| 23 |
Dirkjan |
Archives