From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: =?utf-8?B?4oCYY29yZS11cGRhdGVz?= =?utf-8?B?4oCZ?= merge is a squashed commit Date: Fri, 5 Aug 2016 22:07:07 -0400 Message-ID: <20160806020707.GA16878@jasmine> References: <87ziosyalv.fsf@netris.org> <87a8gso9p4.fsf@igalia.com> <20160804164453.GB8137@jasmine> <87a8gsmq2h.fsf@igalia.com> <20160804200519.GA14007@jasmine> <874m6zmzvk.fsf@igalia.com> <20160805145943.GA16973@jasmine> <87invfjh2h.fsf@igalia.com> <20160805171115.GB20835@jasmine> <871t22ww3v.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47479) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVr1H-0005pf-PG for guix-devel@gnu.org; Fri, 05 Aug 2016 22:07:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bVr1D-0003dy-Fu for guix-devel@gnu.org; Fri, 05 Aug 2016 22:07:22 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:60807) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVr1C-0003cm-60 for guix-devel@gnu.org; Fri, 05 Aug 2016 22:07:19 -0400 Content-Disposition: inline In-Reply-To: <871t22ww3v.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org On Fri, Aug 05, 2016 at 08:59:32PM -0400, Mark H Weaver wrote: > Leo Famulari writes: > > If I push A-B-C with a signed HEAD immediately after somebody pushes a > > forged D, won't it look like I vouch for D? > > This can't happen unless D is already in your local repo before you > commit locally. If someone pushes D immediately before you try to push > A-B-C, your push will be rejected. At that point, you need to pull, > rebase on top of D, and try again. You can always see the ancestor > commits before signing the new comit. > > I haven't thought deeply on this, but it seems to me that Andy's > suggestion has a lot of merit. We could choose to decide, as a matter > of policy, that if you sign a commit with unsigned ancestor commit(s), > you are effectively vouching for those ancestor commits. We could > modify the commit hook to accept a push as long as the new HEAD commit > is signed by an authorized key, disregarding the ancestors. > > There's one thing that each of us would need to be careful of, though. > If we adopt this policy, then before signing a commit, we'd need to > first verify that the parent commit has been signed, lest we > accidentally vouch for an unsigned commit that we know nothing about. > > In practice, this could only happen if Savannah is compromised or > there's a man-in-the-middle attack, because Savannah is supposed to > ensure that pushes with unsigned HEADs are rejected. > > What do you think? Okay, I think your analysis is right. If the HEAD of a push is always signed, and that policy is known, then it is possible to know who is responsible for pushing each commit. But, I also think the primary point of signing the commits is to record the identity of the person responsible for the commit, and so I think the policy should be to sign each commit. [0] The identity information provided by a "sign the HEAD" system seems relatively brittle to me. Somebody looking at a clone of the Git repo may not know about a commit hook, or a "be careful" policy, that may or may not have been consistently active (it seems that hooks don't come with `git clone`). This person won't be able to easily attribute the unsigned commits. Isn't it better for the identity information to be inherent to the Git commits themselves, since those are what is preserved by Git? Git does not preserve hooks or policies. Also, is there some problem with signing each commit? I don't know why we'd want to stop doing this. [0] But, I also think that the hook we put in place to enforce this is going to have to be modified, at least until we no longer need to push this last batch of unsigned commits. At the very least, it should be made to actually verify the signatures.