From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andreas Enge <andreas@enge.fr>
Subject: Re: =?utf-8?B?4oCYY29yZS11cGRhdGVz?= =?utf-8?B?4oCZ?= merge is a
	squashed commit
Date: Sat, 6 Aug 2016 09:52:10 +0200
Message-ID: <20160806075210.GA1715@solar>
References: <87ziosyalv.fsf@netris.org> <87a8gso9p4.fsf@igalia.com>
	<20160804164453.GB8137@jasmine> <87a8gsmq2h.fsf@igalia.com>
	<20160804200519.GA14007@jasmine> <874m6zmzvk.fsf@igalia.com>
	<20160805145943.GA16973@jasmine> <87invfjh2h.fsf@igalia.com>
	<20160805171115.GB20835@jasmine> <871t22ww3v.fsf@netris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54087)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1bVwP6-0004eF-Bo
	for guix-devel@gnu.org; Sat, 06 Aug 2016 03:52:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1bVwP1-0006dQ-Dz
	for guix-devel@gnu.org; Sat, 06 Aug 2016 03:52:19 -0400
Received: from mailrelay6.public.one.com ([91.198.169.200]:17424)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1bVwP0-0006dC-VF
	for guix-devel@gnu.org; Sat, 06 Aug 2016 03:52:15 -0400
Content-Disposition: inline
In-Reply-To: <871t22ww3v.fsf@netris.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org

On Fri, Aug 05, 2016 at 08:59:32PM -0400, Mark H Weaver wrote:
> I haven't thought deeply on this, but it seems to me that Andy's
> suggestion has a lot of merit.  We could choose to decide, as a matter
> of policy, that if you sign a commit with unsigned ancestor commit(s),
> you are effectively vouching for those ancestor commits.  We could
> modify the commit hook to accept a push as long as the new HEAD commit
> is signed by an authorized key, disregarding the ancestors.
> 
> There's one thing that each of us would need to be careful of, though.
> If we adopt this policy, then before signing a commit, we'd need to
> first verify that the parent commit has been signed, lest we
> accidentally vouch for an unsigned commit that we know nothing about.

I am not very happy about such a policy; if I sign a commit, I am only
signing my commit, and not all of its history, or even only its history
up to the previous signed commit. Also, while signing each commit is
a simple git configuration option, needing to verify the history before
each commit would be a hassle that as far as I can see is not easily
automated.

> In practice, this could only happen if Savannah is compromised or
> there's a man-in-the-middle attack, because Savannah is supposed to
> ensure that pushes with unsigned HEADs are rejected.

Agreed, this mitigates the problem above. But I feel better with the
current situation.

Andreas