From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Wingo Subject: Re: =?utf-8?Q?=E2=80=98core-updates=E2=80=99?= merge is a squashed commit Date: Mon, 08 Aug 2016 09:38:44 +0200 Message-ID: <87popjiubf.fsf@igalia.com> References: <87ziosyalv.fsf@netris.org> <87a8gso9p4.fsf@igalia.com> <20160804164453.GB8137@jasmine> <87a8gsmq2h.fsf@igalia.com> <20160804200519.GA14007@jasmine> <874m6zmzvk.fsf@igalia.com> <20160805145943.GA16973@jasmine> <87invfjh2h.fsf@igalia.com> <20160805171115.GB20835@jasmine> <871t22ww3v.fsf@netris.org> <20160806020707.GA16878@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46167) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWf9m-0004VN-Nj for guix-devel@gnu.org; Mon, 08 Aug 2016 03:39:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bWf9i-0008V6-IB for guix-devel@gnu.org; Mon, 08 Aug 2016 03:39:29 -0400 Received: from pb-sasl2.pobox.com ([64.147.108.67]:51194 helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWf9i-0008JI-E6 for guix-devel@gnu.org; Mon, 08 Aug 2016 03:39:26 -0400 In-Reply-To: <20160806020707.GA16878@jasmine> (Leo Famulari's message of "Fri, 5 Aug 2016 22:07:07 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org On Sat 06 Aug 2016 04:07, Leo Famulari writes: > But, I also think the primary point of signing the commits is to record > the identity of the person responsible for the commit, and so I think > the policy should be to sign each commit. [0] To me this is not the value that signing brings; rather, signing protects against an attack in which a malicious third party updates the Guix git repository to have a vulnerable commit. Given that most people run "guix pull" without inspecting the commits, this is real value: it would be possible to even make "guix pull" only accept updates whose HEAD is signed by a key in the keyring. Having the hook only accept signed HEADs is a good start along that path of course. > Isn't it better for the identity information to be inherent to the Git > commits themselves, since those are what is preserved by Git? Git does > not preserve hooks or policies. The convention that a signature goes along with responsibility is also a policy -- any path we take is a convention. > Also, is there some problem with signing each commit? I don't know why > we'd want to stop doing this. I think there's a risk of signing fatigue. The more signatures you make with your key, the more likely it is that you sign something that you didn't mean to. To me it makes sense to reduce the number of signatures to the minimum necessary to preserve whatever security properties we are interested in; but YMMV obviously :) Andy