From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Sbb34-0000oz-JO for garchives@archives.gentoo.org; Mon, 04 Jun 2012 17:26:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B20EFE06C1; Mon, 4 Jun 2012 17:26:10 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 4699BE068C for ; Mon, 4 Jun 2012 17:25:19 +0000 (UTC) Received: by bkcjk13 with SMTP id jk13so4367020bkc.40 for ; Mon, 04 Jun 2012 10:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=Oun0vjJvMsEIVZyyksBql/s+qVizXjJbzevg6hZC9lk=; b=yZT5vktVZIgfZVXd/5ZKjmR/7ZHk/UW/d2xgYezlN1NGhOpFMchIhyWqiOk0DNHfyk tW7dhTso7iyg3sK8BKNizADileKuWQmNiwrfzJ70iEYSXeElD9+7Ucr3OroyiXiqNPmX ZmJnm0ZFQJK1D7Tef52fsCZyZOndFBEdnuwiA9lX1CF7F42vLaRcUXJCU2ATptvsJFEy 1etHrxfAzJctY/mPzyAZ3AmYZ7CPmp3YpS+sCS7mvF4uVJDFE23Y9vLn0ogwZqYnvdwn kft6ykkani5pNMJ5oxilalzan6R2Dab3lEk9iGtYpk2B1oeigwHNXxvUxPBekQ9nm9oa /GgQ== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.130.85 with SMTP id r21mr7609801bks.53.1338830718397; Mon, 04 Jun 2012 10:25:18 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.149.211 with HTTP; Mon, 4 Jun 2012 10:25:18 -0700 (PDT) In-Reply-To: References: <201206031239.21744.dilfridge@gentoo.org> <201206032135.49757.dilfridge@gentoo.org> Date: Mon, 4 Jun 2012 13:25:18 -0400 X-Google-Sender-Auth: rPTUbYkpmdRuDEczSaJZQwzWwlM Message-ID: Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: d87850ca-f6e2-4040-a443-21fad1250922 X-Archives-Hash: 31ff6d32fbc5a213d1935988c2ffa4e9 On Mon, Jun 4, 2012 at 12:19 PM, Dirkjan Ochtman wrote: > So to prevent your scenario, we'd > have to get everyone to check the signature of the tip of tree they > pulled before committing/merging. How can we be sure this has happened? This is the problem with signed manifests today. I can sign a manifest, but I didn't actually check all the files inside it, and the file might or might not have been signed before I modified it, and most likely I didn't even check the signature even if it was there. Anything we do has to be automated to be of any real value. Ideally if something goes wrong it should be as detectable as possible. Warts and all the current system hasn't broken down yet. However, if we ever did find out about an intrusion in our cvs repository, we'd essentially have to do a 100% code review to be sure it was OK, and that includes checking all tarballs on mirrors. With signed commits we could verify that the tree was intact, and if anything bad was found we could pinpoint exactly whose key was compromised and do a focused check on their commits. Rich