From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52234-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Sbcfd-0002A4-J5
	for garchives@archives.gentoo.org; Mon, 04 Jun 2012 19:10:29 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0FF1BE09AF;
	Mon,  4 Jun 2012 19:10:14 +0000 (UTC)
Received: from mail-pz0-f53.google.com (mail-pz0-f53.google.com [209.85.210.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 727FBE06C1
	for <gentoo-dev@lists.gentoo.org>; Mon,  4 Jun 2012 19:09:39 +0000 (UTC)
Received: by dadg9 with SMTP id g9so7375775dad.40
        for <gentoo-dev@lists.gentoo.org>; Mon, 04 Jun 2012 12:09:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=date:from:to:subject:message-id:references:mime-version
         :content-type:content-disposition:in-reply-to:user-agent;
        bh=VqhpNaDNK1tcQGsXFP+sdsGEKPTFZ0IMvnwJv1F7vyk=;
        b=iLZFq4W1SCMlOHK3aX5+lafQRlBFTO0wRxIw9hWchcMxmUzeztokM9aaFUiMFwTnV6
         RRUZt+BYUxhK6Ao5XjICXt6lCxlDIzaa55UV9qzwml58qoM75RiR5iM4VemlygHBeTi7
         HkbZ/hO/Qd1PoXtSESHnfToZYi9Bq8Xhv/LtC0DGEVz/6cJ9iLnV/+VzCUTGqoIpqpIH
         9xj3lv+tjVDZvI4csYua59+W22C/tZMOwu8S0qhZLcChliSrBC/1GZE9ipHeExTZH3Ax
         xPM8srAn/pwS8PEMxAHBMpun7U26FMjWtEPf9UbLeicXyIIgT+sliCIsOmgAe4oyeh+0
         jZ2A==
Received: by 10.68.138.161 with SMTP id qr1mr4618264pbb.37.1338836978801;
        Mon, 04 Jun 2012 12:09:38 -0700 (PDT)
Received: from smtp.gmail.com:587 (74-95-192-101-SFBA.hfc.comcastbusiness.net. [74.95.192.101])
        by mx.google.com with ESMTPS id jw3sm14158077pbc.65.2012.06.04.12.09.36
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 04 Jun 2012 12:09:37 -0700 (PDT)
Received: by smtp.gmail.com:587 (sSMTP sendmail emulation); Mon, 04 Jun 2012 12:10:00 -0700
Date: Mon, 4 Jun 2012 12:10:00 -0700
From: Brian Harring <ferringb@gmail.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Message-ID: <20120604191000.GA3692@localhost>
References: <CAGfcS_=VRi=7n_2rCWLUZUP-HT8h1T6_YfP-oySRUZfWadoc=A@mail.gmail.com>
 <CAKmKYaBD0yiq7HRrZ+XcOQ-9=GSiBmcLYEDCS3_oH6=kpzP+yA@mail.gmail.com>
 <CAGfcS_mkN9ZSvJcSUaVf7=+hRpgKeQ0k97YXo4eqAGZQ-3LOYA@mail.gmail.com>
 <CAKmKYaA=+-3qe=SRs=u7rY3=08Wjo8H6jStm2bLda2PBNSx7fw@mail.gmail.com>
 <CAGfcS_mHA=pfY4AwS6pwwWQW=K1SotQLiWna1ks0dNvQ4vwe1w@mail.gmail.com>
 <CAKmKYaB7xj4TCZZ1PDLYq1hONzo8rQTNq8mVR2anLiHA8KpHmA@mail.gmail.com>
 <CAGfcS_n7YtDfCC4BqMnac34eN_5E-wigLneWmUivOFjxoNHyOw@mail.gmail.com>
 <CAKmKYaDZPGD1TEfjPaqTLg_+poE6hQiZU=wEBNPgaGHk+BRL3w@mail.gmail.com>
 <CAGfcS_mSg5nySMoph9MwNAWxtOJJd70PV6EBEC0e4OK9Z=F=-w@mail.gmail.com>
 <CAKmKYaCEjjwu-UnY9guBmKWwK+Wtrz49ie_5z=gdm1AUZhcWDg@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKmKYaCEjjwu-UnY9guBmKWwK+Wtrz49ie_5z=gdm1AUZhcWDg@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Archives-Salt: 3e6bd5e8-c543-48bb-bd64-f5c673fb4f23
X-Archives-Hash: 1ec348bc865a73695adad2c2e8f4b783

On Mon, Jun 04, 2012 at 08:45:42PM +0200, Dirkjan Ochtman wrote:
> On Mon, Jun 4, 2012 at 7:25 PM, Rich Freeman <rich0@gentoo.org> wrote:
> > Anything we do has to be automated to be of any real value. ??Ideally
> > if something goes wrong it should be as detectable as possible.
> 
> Yeah, but you'd have to part of that at every developer's box.
> 
> Can we just agree that having the tip of the main tree always signed
> will be enough for now, and postpone the rest of the discussion until
> later?

ToT is always going to be signed.  If it *isn't* signed, either the 
infra machinery is broken and not rejecting commits that it should 
reject, or someone is trojaning the repo (either via an infra 
compromise, local compromise, or via man in the middle).

One thing people need to keep in mind here is that when you sign the 
commit, you're signing off on the history implicitly.  Directly 
addressing freeman's comment about "people sign the manifest but don't 
look at what they're signing", when it comes to git signage, bluntly, 
people doing that shouldn't have access- if they can't be arsed to 
validate what they're signing, then trusting them w/ the tree is 
probably questionable.

Harsh, but frankly, sane people don't sign enforcable contracts w/out 
verifying what they're signing (note the 'enforcable' bit, stated to 
head off the EULA rathole discussion); this isn't any different 
frankly.

~harring