1 |
On Sat, Sep 20, 2014 at 4:40 PM, Ulrich Mueller <ulm@g.o> wrote: |
2 |
>>>>>> On Sat, 20 Sep 2014, hasufell wrote: |
3 |
> |
4 |
>>> Have these plans been abandoned, and are we now planning to |
5 |
>>> distribute the tree to users via Git, where everything goes through |
6 |
>>> the bottleneck of a SHA-1 sum, which was never intended as a |
7 |
>>> security feature? |
8 |
> |
9 |
>> This is a bug in git. Do you want us to wait until it is resolved? |
10 |
> |
11 |
> Not a bug. There are VCSs (like Subversion or Bazaar) that use simple |
12 |
> revision numbers to identify their commits. Git happens to use a hash, |
13 |
> which is perfectly fine as long as accidental collisions are unlikely. |
14 |
> Neither has to do anything with security, though. |
15 |
> |
16 |
|
17 |
Sure, but in that case why add gpg signatures to git at all? I think |
18 |
that just like Gentoo this is just the nature of FOSS - everybody has |
19 |
their opinion of what everything is supposed to do, and the only thing |
20 |
that really matters is what it can actually do and who writes code to |
21 |
get it to do something different. |
22 |
|
23 |
If Linus felt that git needed gpg signatures he'd have added them back |
24 |
in the beginning (for commits, not tags). Somebody else felt |
25 |
differently, and added them later, but did not address the hash issue. |
26 |
Maybe sometime down the road we'll see support for a different hash |
27 |
functions added, or some other workaround. All it would take is for |
28 |
somebody to write the code and support it seriously (either as part of |
29 |
git or a fork). |
30 |
|
31 |
But, I doubt anybody here wants to maintain that fork, so we're left |
32 |
with what we have now, which is a git which accepts signatures, but |
33 |
those signatures are only bound to code by sha1. |
34 |
|
35 |
With FOSS what is and isn't a bug is up to whoever wants to write the |
36 |
code to fix it, or pay somebody else to write it for them. |
37 |
|
38 |
-- |
39 |
Rich |