From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52232-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Sbb34-0000oz-JO
	for garchives@archives.gentoo.org; Mon, 04 Jun 2012 17:26:37 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B20EFE06C1;
	Mon,  4 Jun 2012 17:26:10 +0000 (UTC)
Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 4699BE068C
	for <gentoo-dev@lists.gentoo.org>; Mon,  4 Jun 2012 17:25:19 +0000 (UTC)
Received: by bkcjk13 with SMTP id jk13so4367020bkc.40
        for <gentoo-dev@lists.gentoo.org>; Mon, 04 Jun 2012 10:25:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        bh=Oun0vjJvMsEIVZyyksBql/s+qVizXjJbzevg6hZC9lk=;
        b=yZT5vktVZIgfZVXd/5ZKjmR/7ZHk/UW/d2xgYezlN1NGhOpFMchIhyWqiOk0DNHfyk
         tW7dhTso7iyg3sK8BKNizADileKuWQmNiwrfzJ70iEYSXeElD9+7Ucr3OroyiXiqNPmX
         ZmJnm0ZFQJK1D7Tef52fsCZyZOndFBEdnuwiA9lX1CF7F42vLaRcUXJCU2ATptvsJFEy
         1etHrxfAzJctY/mPzyAZ3AmYZ7CPmp3YpS+sCS7mvF4uVJDFE23Y9vLn0ogwZqYnvdwn
         kft6ykkani5pNMJ5oxilalzan6R2Dab3lEk9iGtYpk2B1oeigwHNXxvUxPBekQ9nm9oa
         /GgQ==
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.130.85 with SMTP id r21mr7609801bks.53.1338830718397; Mon,
 04 Jun 2012 10:25:18 -0700 (PDT)
Sender: freemanrich@gmail.com
Received: by 10.204.149.211 with HTTP; Mon, 4 Jun 2012 10:25:18 -0700 (PDT)
In-Reply-To: <CAKmKYaDZPGD1TEfjPaqTLg_+poE6hQiZU=wEBNPgaGHk+BRL3w@mail.gmail.com>
References: <robbat2-20120603T073705-606889647Z@orbis-terrarum.net>
	<201206031239.21744.dilfridge@gentoo.org>
	<CAKmKYaCin65oaPiynVBMSL0psfZVsti4oFpd=DYw3mp_pf2-RA@mail.gmail.com>
	<201206032135.49757.dilfridge@gentoo.org>
	<CAKmKYaCv0shtPu7jcvbDT_XyTAq__S3R_ZLcOgcgMDRM_zPEAg@mail.gmail.com>
	<CAGfcS_maNfikeVTj3cmcQ1OF-uQAVEbE2r1oKykYGwC5VOmvfw@mail.gmail.com>
	<CAKmKYaA=KoyvXRxpg+9uYiha_2vgPg7Z4+kywmC_8XTvb48-mA@mail.gmail.com>
	<CAGfcS_=VRi=7n_2rCWLUZUP-HT8h1T6_YfP-oySRUZfWadoc=A@mail.gmail.com>
	<CAKmKYaBD0yiq7HRrZ+XcOQ-9=GSiBmcLYEDCS3_oH6=kpzP+yA@mail.gmail.com>
	<CAGfcS_mkN9ZSvJcSUaVf7=+hRpgKeQ0k97YXo4eqAGZQ-3LOYA@mail.gmail.com>
	<CAKmKYaA=+-3qe=SRs=u7rY3=08Wjo8H6jStm2bLda2PBNSx7fw@mail.gmail.com>
	<CAGfcS_mHA=pfY4AwS6pwwWQW=K1SotQLiWna1ks0dNvQ4vwe1w@mail.gmail.com>
	<CAKmKYaB7xj4TCZZ1PDLYq1hONzo8rQTNq8mVR2anLiHA8KpHmA@mail.gmail.com>
	<CAGfcS_n7YtDfCC4BqMnac34eN_5E-wigLneWmUivOFjxoNHyOw@mail.gmail.com>
	<CAKmKYaDZPGD1TEfjPaqTLg_+poE6hQiZU=wEBNPgaGHk+BRL3w@mail.gmail.com>
Date: Mon, 4 Jun 2012 13:25:18 -0400
X-Google-Sender-Auth: rPTUbYkpmdRuDEczSaJZQwzWwlM
Message-ID: <CAGfcS_mSg5nySMoph9MwNAWxtOJJd70PV6EBEC0e4OK9Z=F=-w@mail.gmail.com>
Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
X-Archives-Salt: d87850ca-f6e2-4040-a443-21fad1250922
X-Archives-Hash: 31ff6d32fbc5a213d1935988c2ffa4e9

On Mon, Jun 4, 2012 at 12:19 PM, Dirkjan Ochtman <djc@gentoo.org> wrote:
> So to prevent your scenario, we'd
> have to get everyone to check the signature of the tip of tree they
> pulled before committing/merging.

How can we be sure this has happened?

This is the problem with signed manifests today.  I can sign a
manifest, but I didn't actually check all the files inside it, and the
file might or might not have been signed before I modified it, and
most likely I didn't even check the signature even if it was there.

Anything we do has to be automated to be of any real value.  Ideally
if something goes wrong it should be as detectable as possible.

Warts and all the current system hasn't broken down yet.  However, if
we ever did find out about an intrusion in our cvs repository, we'd
essentially have to do a 100% code review to be sure it was OK, and
that includes checking all tarballs on mirrors.

With signed commits we could verify that the tree was intact, and if
anything bad was found we could pinpoint exactly whose key was
compromised and do a focused check on their commits.

Rich