Gentoo Archives: gentoo-scm

From: Robert Buchholz <rbu@g.o>
To: gentoo-scm@l.g.o
Subject: [gentoo-scm] gpg signing of commits, was: Progress summary, 2009/06/01
Date: Fri, 05 Jun 2009 12:59:33
In Reply to: [gentoo-scm] Progress summary, 2009/06/01 by "Robin H. Johnson"
Hey Robin,

thanks for the summary.

On Tuesday 02 June 2009, Robin H. Johnson wrote:
> - Review commit signing > - pclouds (a former Gentoo dev) contributed this prototype: > >118788 - I'm not entirely convinced the above is right, as the commit > message seems to end up unsigned.
I was wondering why we need GPG signing of commits at all. I was thinking about the following two arguments: 0. Intro git stores the SHA1 hashes of objects and one can check for errors in the transmission or on the disk. This makes the (unsigned) Manifest parts unnecessary. Commit signing is the equivalent of Manifest file signing we have right now. 1. It's not needed for tree signing The tree signing GLEP does not require signing of either commits or Manifests. It relies on the main infra repository is not being compromised. 2. It is not well designed (cryptographically) OpenGPG allows the usage of a set of cryptographic hash function to sign a document. This allows people to switch to a different function once attacks against one algorithm become known. This has been recently seen with SHA-1: The git signing, however, relies on the collision resistance of SHA-1 as that algorithm is used to identify objects in the repository. We cannot migrate away from it easily. This has been discussed upstream at length and Linus pointed out that 'the "signed tags" security does depend on the hashes being cryptographically strong.': What if we just drop the commit signing and coresponding hooks, and focus on the tree signing and push logging even though we use gitosis ? Robert


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-scm] gpg signing of commits, was: Progress summary, 2009/06/01 "Robin H. Johnson" <robbat2@g.o>