| 1 |
On Sat, Sep 20, 2014 at 4:40 PM, Ulrich Mueller <ulm@g.o> wrote: |
| 2 |
>>>>>> On Sat, 20 Sep 2014, hasufell wrote: |
| 3 |
> |
| 4 |
>>> Have these plans been abandoned, and are we now planning to |
| 5 |
>>> distribute the tree to users via Git, where everything goes through |
| 6 |
>>> the bottleneck of a SHA-1 sum, which was never intended as a |
| 7 |
>>> security feature? |
| 8 |
> |
| 9 |
>> This is a bug in git. Do you want us to wait until it is resolved? |
| 10 |
> |
| 11 |
> Not a bug. There are VCSs (like Subversion or Bazaar) that use simple |
| 12 |
> revision numbers to identify their commits. Git happens to use a hash, |
| 13 |
> which is perfectly fine as long as accidental collisions are unlikely. |
| 14 |
> Neither has to do anything with security, though. |
| 15 |
> |
| 16 |
|
| 17 |
Sure, but in that case why add gpg signatures to git at all? I think |
| 18 |
that just like Gentoo this is just the nature of FOSS - everybody has |
| 19 |
their opinion of what everything is supposed to do, and the only thing |
| 20 |
that really matters is what it can actually do and who writes code to |
| 21 |
get it to do something different. |
| 22 |
|
| 23 |
If Linus felt that git needed gpg signatures he'd have added them back |
| 24 |
in the beginning (for commits, not tags). Somebody else felt |
| 25 |
differently, and added them later, but did not address the hash issue. |
| 26 |
Maybe sometime down the road we'll see support for a different hash |
| 27 |
functions added, or some other workaround. All it would take is for |
| 28 |
somebody to write the code and support it seriously (either as part of |
| 29 |
git or a fork). |
| 30 |
|
| 31 |
But, I doubt anybody here wants to maintain that fork, so we're left |
| 32 |
with what we have now, which is a git which accepts signatures, but |
| 33 |
those signatures are only bound to code by sha1. |
| 34 |
|
| 35 |
With FOSS what is and isn't a bug is up to whoever wants to write the |
| 36 |
code to fix it, or pay somebody else to write it for them. |
| 37 |
|
| 38 |
-- |
| 39 |
Rich |
Archives