From: Leo Famulari <leo@famulari.name>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: ‘core-updates’ merge is a squashed commit
Date: Fri, 5 Aug 2016 22:07:07 -0400 [thread overview]
Message-ID: <20160806020707.GA16878@jasmine> (raw)
In-Reply-To: <871t22ww3v.fsf@netris.org>
On Fri, Aug 05, 2016 at 08:59:32PM -0400, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> > If I push A-B-C with a signed HEAD immediately after somebody pushes a
> > forged D, won't it look like I vouch for D?
>
> This can't happen unless D is already in your local repo before you
> commit locally. If someone pushes D immediately before you try to push
> A-B-C, your push will be rejected. At that point, you need to pull,
> rebase on top of D, and try again. You can always see the ancestor
> commits before signing the new comit.
>
> I haven't thought deeply on this, but it seems to me that Andy's
> suggestion has a lot of merit. We could choose to decide, as a matter
> of policy, that if you sign a commit with unsigned ancestor commit(s),
> you are effectively vouching for those ancestor commits. We could
> modify the commit hook to accept a push as long as the new HEAD commit
> is signed by an authorized key, disregarding the ancestors.
>
> There's one thing that each of us would need to be careful of, though.
> If we adopt this policy, then before signing a commit, we'd need to
> first verify that the parent commit has been signed, lest we
> accidentally vouch for an unsigned commit that we know nothing about.
>
> In practice, this could only happen if Savannah is compromised or
> there's a man-in-the-middle attack, because Savannah is supposed to
> ensure that pushes with unsigned HEADs are rejected.
>
> What do you think?
Okay, I think your analysis is right. If the HEAD of a push is always
signed, and that policy is known, then it is possible to know who is
responsible for pushing each commit.
But, I also think the primary point of signing the commits is to record
the identity of the person responsible for the commit, and so I think
the policy should be to sign each commit. [0]
The identity information provided by a "sign the HEAD" system seems
relatively brittle to me.
Somebody looking at a clone of the Git repo may not know about a commit
hook, or a "be careful" policy, that may or may not have been
consistently active (it seems that hooks don't come with `git clone`).
This person won't be able to easily attribute the unsigned commits.
Isn't it better for the identity information to be inherent to the Git
commits themselves, since those are what is preserved by Git? Git does
not preserve hooks or policies.
Also, is there some problem with signing each commit? I don't know why
we'd want to stop doing this.
[0] But, I also think that the hook we put in place to enforce this is
going to have to be modified, at least until we no longer need to push
this last batch of unsigned commits. At the very least, it should be
made to actually verify the signatures.
next prev parent reply other threads:[~2016-08-06 2:07 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-01 8:19 Core-updates Andreas Enge
2016-08-01 21:48 ` core-updates merged! Ludovic Courtès
2016-08-02 13:26 ` ng0
2016-08-02 17:32 ` Ludovic Courtès
2016-08-02 17:48 ` Leo Famulari
2016-08-02 21:28 ` Ludovic Courtès
2016-08-03 4:04 ` Leo Famulari
2016-08-03 16:42 ` Ludovic Courtès
2016-08-03 17:24 ` Leo Famulari
2016-08-03 17:56 ` Ludovic Courtès
2016-08-03 18:39 ` Leo Famulari
2016-08-03 20:01 ` Ludovic Courtès
2016-08-03 21:01 ` Leo Famulari
2016-08-03 21:27 ` Andreas Enge
2016-08-03 22:14 ` Leo Famulari
2016-08-03 20:29 ` ‘core-updates’ merge is a squashed commit Ludovic Courtès
2016-08-03 21:10 ` Leo Famulari
2016-08-04 7:50 ` Mark H Weaver
2016-08-04 8:24 ` Andreas Enge
2016-08-04 12:36 ` Mark H Weaver
2016-08-04 12:40 ` Andreas Enge
2016-08-04 13:04 ` Leo Famulari
2016-08-04 13:23 ` Mark H Weaver
2016-08-04 14:07 ` Ludovic Courtès
2016-08-04 14:10 ` Andreas Enge
2016-08-04 14:45 ` Mathieu Lirzin
2016-08-04 16:37 ` Leo Famulari
2016-08-04 18:32 ` Andreas Enge
2016-08-04 20:06 ` Leo Famulari
2016-08-04 18:34 ` Andreas Enge
2016-08-04 15:06 ` Andy Wingo
2016-08-04 16:44 ` Leo Famulari
2016-08-04 16:55 ` Andy Wingo
2016-08-04 20:05 ` Leo Famulari
2016-08-05 7:35 ` Andy Wingo
2016-08-05 14:59 ` Leo Famulari
2016-08-05 16:50 ` Andy Wingo
2016-08-05 17:11 ` Leo Famulari
2016-08-06 0:59 ` Mark H Weaver
2016-08-06 2:07 ` Leo Famulari [this message]
2016-08-08 7:38 ` Andy Wingo
2016-08-06 7:52 ` Andreas Enge
2016-08-08 7:46 ` Andy Wingo
2016-08-07 6:16 ` Mike Gerwitz
2016-08-04 11:41 ` Leo Famulari
2016-08-06 14:42 ` core-updates merged! Leo Famulari
2016-08-10 19:49 ` Leo Famulari
2016-08-13 7:15 ` Manolis Ragkousis
2016-08-13 23:20 ` Core-updates is ready for your patches! Leo Famulari
2016-08-09 3:07 ` core-updates merged! Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160806020707.GA16878@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).