From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SbZol-0002o0-KD for garchives@archives.gentoo.org; Mon, 04 Jun 2012 16:07:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BC437E072D; Mon, 4 Jun 2012 16:07:12 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 2CCD7E0684 for ; Mon, 4 Jun 2012 16:06:36 +0000 (UTC) Received: by bkcjk13 with SMTP id jk13so4282808bkc.40 for ; Mon, 04 Jun 2012 09:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=CkwbdqCQdF7Mr3FxpnePwrLwUx0HL0tb5LsSBwjnPR4=; b=rswxRPUji9b50MebT+LuWQpJUqLFHeD/efXot2Lbl91CzEoYUT8OsBm9oOR/ona8XK viaaM4PWxgpC+yZUX19z+kjf9vtzwjxF2xql5bDsG5Minyhx1mK1qJDGiwNVCbXNjWCt WZgfiWPrMtD44EnL4vfH9H18sCPN6o/zl0pa0mRu7kGrcpqMDRvyCjGyFFT1y8Eqi1zl 7Fb/8XH1cxkbYMNmr0e5oTBowRrx0E1cROeMjJ6xgt6ta8WqzsLF9dqcml4jKu8kl3QZ 26zikkeUjT4jLdQdMplsFwwKUJOYKrIejMwB5ktljAd9EBateWw+0hTC+P1amIreHKdN +Ecg== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.153.15 with SMTP id i15mr7361716bkw.74.1338825996232; Mon, 04 Jun 2012 09:06:36 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.149.211 with HTTP; Mon, 4 Jun 2012 09:06:36 -0700 (PDT) In-Reply-To: References: <201206031239.21744.dilfridge@gentoo.org> <201206032135.49757.dilfridge@gentoo.org> Date: Mon, 4 Jun 2012 12:06:36 -0400 X-Google-Sender-Auth: DMe8lSPCjxYjF27005SRVHkiP4I Message-ID: Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 82c0d067-a521-4739-9a0e-6f8e4ee3e23d X-Archives-Hash: 215588d189a6659132e1b100cf859d3d On Mon, Jun 4, 2012 at 11:02 AM, Dirkjan Ochtman wrote: > If the tree was bad before you pushed, then it's not your fault the > tree is bad. You're only responsible for the commits you bring into > the tree, so if you're merging contributor's unsigned changesets, you > merge them with a signature of your own. Yup, but the fact that the tree is bad is still a problem, even if it isn't my fault. > If the hacker has unfettered access to the server where the repository > lives, we probably have bigger problems, as they can get whatever > rsynced to all our users. I guess we could have rsync process check > that the cset it's about to push out to mirrors is signed? So, the whole point of signing is that it lets you prove that the repository is uncompromised. If we're going to assume that the server is secure, then we don't need signatures - whatever is on the server is by definition correct. A robust security infrastructure is already spelled out in a GLEP (though that one is dated). Ideally it should be verifiable from end to end, so that when you run emerge if a package has been tampered with it will just refuse to install it. Since we don't distribute the whole git repository the git commits only get us part of the way there. However, if every step of the distribution assumes that the previous step could have been compromised that would be a good start. Again, we don't need to be there 100% to go live. However, I think that was the whole point of signing commits. If we aren't going to add any assurance at all with our signing practices, then there isn't much point in having them. Rich