Gentoo Archives: gentoo-dev

From:	"Robin H. Johnson" <robbat2@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] Git Migration: launch plan & schedule (2015/Aug/08-09)
Date:	Fri, 03 Jul 2015 21:41:03
Message-Id:	`robbat2-20150703T212250-365251671Z@orbis-terrarum.net`
In Reply to:	Re: [gentoo-dev] Git Migration: launch plan & schedule (2015/Aug/08-09) by Andrew Savchenko

1	On Sat, Jul 04, 2015 at 12:19:41AM +0300, Andrew Savchenko wrote:
2	> As I see from git docs only commits and tags may be signed. There
3	> is no way to sign a push. Moreover there is no need to sign each
4	> commit, see what Linux says on that:
5	> http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html
6	That was Linus's 2009 opinion, and he changed his mind since then, with
7	the research into further attacks on SHA1.
8
9	Git (since 2.2) DOES support signed push. Look at the manpage for
10	git-push, for the --signed option:
11	http://git-scm.com/docs/git-push
12
13	The point of signed commits is to authenticate the creator of each
14	commit.
15
16	The point of signed pushes is to authenticate who introduced a commit
17	(it might NOT be the person who signed the commits) and intended it to
18	be on a specific branch.
19
20	A slightly out of date, but good backgrounder on signed commits is here:
21	http://mikegerwitz.com/papers/git-horror-story
22
23	The StackOverflow asking about signed push is a good reference as well:
24	http://stackoverflow.com/questions/27299355/why-does-git-need-signed-pushes
25
26	--
27	Robin Hugh Johnson
28	Gentoo Linux: Developer, Infrastructure Lead
29	E-Mail : robbat2@g.o
30	GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Subject	Author
Re: [gentoo-dev] Git Migration: launch plan & schedule (2015/Aug/08-09)	Andrew Savchenko <bircoph@g.o>
Re: [gentoo-dev] Git Migration: launch plan & schedule (2015/Aug/08-09)	Rich Freeman <rich0@g.o>