From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: =?utf-8?Q?=E2=80=98core-updates=E2=80=99?= merge is a squashed
	commit
Date: Fri, 05 Aug 2016 20:59:32 -0400
Message-ID: <871t22ww3v.fsf@netris.org>
References: <87a8gtyntw.fsf@netris.org> <20160804082400.GA1638@solar>
	<87ziosyalv.fsf@netris.org> <87a8gso9p4.fsf@igalia.com>
	<20160804164453.GB8137@jasmine> <87a8gsmq2h.fsf@igalia.com>
	<20160804200519.GA14007@jasmine> <874m6zmzvk.fsf@igalia.com>
	<20160805145943.GA16973@jasmine> <87invfjh2h.fsf@igalia.com>
	<20160805171115.GB20835@jasmine>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41368)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1bVpxw-0006T5-5C
	for guix-devel@gnu.org; Fri, 05 Aug 2016 20:59:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1bVpxs-0000BT-0m
	for guix-devel@gnu.org; Fri, 05 Aug 2016 20:59:51 -0400
Received: from world.peace.net ([50.252.239.5]:44484)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1bVpxr-0000Ap-TH
	for guix-devel@gnu.org; Fri, 05 Aug 2016 20:59:47 -0400
In-Reply-To: <20160805171115.GB20835@jasmine> (Leo Famulari's message of "Fri,
	5 Aug 2016 13:11:15 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

Leo Famulari <leo@famulari.name> writes:

> On Fri, Aug 05, 2016 at 06:50:30PM +0200, Andy Wingo wrote:
>> Why would you sign a commit if you don't attest to intermediate unsigned
>> commits?
>
> If I push A-B-C with a signed HEAD immediately after somebody pushes a
> forged D, won't it look like I vouch for D?

This can't happen unless D is already in your local repo before you
commit locally.  If someone pushes D immediately before you try to push
A-B-C, your push will be rejected.  At that point, you need to pull,
rebase on top of D, and try again.  You can always see the ancestor
commits before signing the new comit.

I haven't thought deeply on this, but it seems to me that Andy's
suggestion has a lot of merit.  We could choose to decide, as a matter
of policy, that if you sign a commit with unsigned ancestor commit(s),
you are effectively vouching for those ancestor commits.  We could
modify the commit hook to accept a push as long as the new HEAD commit
is signed by an authorized key, disregarding the ancestors.

There's one thing that each of us would need to be careful of, though.
If we adopt this policy, then before signing a commit, we'd need to
first verify that the parent commit has been signed, lest we
accidentally vouch for an unsigned commit that we know nothing about.

In practice, this could only happen if Savannah is compromised or
there's a man-in-the-middle attack, because Savannah is supposed to
ensure that pushes with unsigned HEADs are rejected.

What do you think?

      Mark