From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Allan Webber <cwebber@dustycloud.org>
Subject: bug#22883: Authenticating a Git checkout
Date: Sun, 05 Jun 2016 15:39:04 -0500
Message-ID: <87h9d7e5g7.fsf@dustycloud.org>
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
	<20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
	<87bn3iz1xc.fsf_-_@gnu.org> <87bn3hwpgo.fsf@gnu.org>
	<87wpm519um.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54844)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9eq8-0002uJ-TE
	for bug-guix@gnu.org; Sun, 05 Jun 2016 16:40:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9eq2-0002mX-UX
	for bug-guix@gnu.org; Sun, 05 Jun 2016 16:40:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:43581)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9eq2-0002mT-RH
	for bug-guix@gnu.org; Sun, 05 Jun 2016 16:40:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.146515914828995@debbugs.gnu.org>
In-reply-to: <87wpm519um.fsf@gnu.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 22883@debbugs.gnu.org

Ludovic Courtès writes:

>>> Second, even if it did, it would be a shallow check: as Mike notes in
>>> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’
>>> script, you actually have to traverse the whole commit history and
>>> authenticate them one by one.  But that’s OK, it runs in presumably less
>>> than a minute on a repo the size of Guix’s, and we could also stop at
>>> signed tags to avoid redundant checks.
>>
>> Practically speaking, that's probably fine, though note that a signed
>> tag is just a signed hash of the commit it points to (with some
>> metadata), so you're trusting the integrity of SHA-1 and nothing
>> more.
>>
>> With that said, the tag points to what will hopefully be a signed
>> commit, so if you verify the signature of the tag _and_ that commit,
>> that'd be even better.  Git's use of SHA-1 makes cryptographic
>> assurances difficult/awkward.
>>
>> An occasional traversal of the entire DAG by, say, a CI script would
>> provide some pretty good confidence.  I wouldn't say it's necessary for
>> every pull.
>
> Agreed.

One theoretical optimization: if I verify the DAG, could I store
somewhere that I've verified from commit cabba6e and upward already, so
the next time I verify it only has to verify the new commits?

Mostly makes sense if we're already going down the only mildly
crazypants direction of implementing our own tooling :)

 - Chris