| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 15/09/14 07:59 PM, Rich Freeman wrote: |
| 5 |
> On Mon, Sep 15, 2014 at 6:11 PM, Gordon Pettey |
| 6 |
> <petteyg359@×××××.com> wrote: |
| 7 |
>> |
| 8 |
>> Even if you wanted to burn the money to find that magical |
| 9 |
>> collision that actually contains working code, you've still got |
| 10 |
>> to somehow propagate that to other repositories, since they'll |
| 11 |
>> just ignore it for having the same hash as an already-existing |
| 12 |
>> object. |
| 13 |
>> |
| 14 |
> |
| 15 |
> Well, if you're willing to trust that nobody is able to tamper |
| 16 |
> with repositories, then you don't need gpg signatures in the first |
| 17 |
> place. |
| 18 |
> |
| 19 |
> I think that gpg signatures protected by an SHA1 hash provide |
| 20 |
> fairly little security - a chain is as strong as its weakest link |
| 21 |
> and sha1 has been considered fairly weak for years now. |
| 22 |
> |
| 23 |
> However, I think it does make sense to at least get gpg into the |
| 24 |
> workflow in the hopes that some day git will move to a stronger |
| 25 |
> hash, and since it isn't a huge hardship to do so. |
| 26 |
> |
| 27 |
> I wouldn't make too light of the use of SHA1 though. As you point |
| 28 |
> out simply exploiting it isn't enough, but the whole reason for |
| 29 |
> having signatures is to make an attack on a central repository |
| 30 |
> useless. Having gpg on top of ssh keys and all that is obviously |
| 31 |
> redundant, but that is the whole point of it. |
| 32 |
> |
| 33 |
> -- Rich |
| 34 |
> |
| 35 |
|
| 36 |
If the issue preventing protection is that the gpg signature only |
| 37 |
signs the hash, couldn't we just make repoman automatically add to the |
| 38 |
bottom of the comment a clearsign on the contents of the commit? |
| 39 |
|
| 40 |
|
| 41 |
-----BEGIN PGP SIGNATURE----- |
| 42 |
Version: GnuPG v2 |
| 43 |
|
| 44 |
iF4EAREIAAYFAlQYPskACgkQ2ugaI38ACPDjowEAmfMQePUgmLSDrmKyXxdUfbil |
| 45 |
g6KVaPkL1yfDwrLP7J8BAK+g5MMCMDgH9wDzEHIYerDi9ZIm39AfwazQF3mz3dPR |
| 46 |
=slAr |
| 47 |
-----END PGP SIGNATURE----- |
Archives