From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: =?utf-8?Q?=E2=80=98core-updates=E2=80=99?= merge is a squashed commit Date: Fri, 05 Aug 2016 20:59:32 -0400 Message-ID: <871t22ww3v.fsf@netris.org> References: <87a8gtyntw.fsf@netris.org> <20160804082400.GA1638@solar> <87ziosyalv.fsf@netris.org> <87a8gso9p4.fsf@igalia.com> <20160804164453.GB8137@jasmine> <87a8gsmq2h.fsf@igalia.com> <20160804200519.GA14007@jasmine> <874m6zmzvk.fsf@igalia.com> <20160805145943.GA16973@jasmine> <87invfjh2h.fsf@igalia.com> <20160805171115.GB20835@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41368) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVpxw-0006T5-5C for guix-devel@gnu.org; Fri, 05 Aug 2016 20:59:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bVpxs-0000BT-0m for guix-devel@gnu.org; Fri, 05 Aug 2016 20:59:51 -0400 Received: from world.peace.net ([50.252.239.5]:44484) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVpxr-0000Ap-TH for guix-devel@gnu.org; Fri, 05 Aug 2016 20:59:47 -0400 In-Reply-To: <20160805171115.GB20835@jasmine> (Leo Famulari's message of "Fri, 5 Aug 2016 13:11:15 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > On Fri, Aug 05, 2016 at 06:50:30PM +0200, Andy Wingo wrote: >> Why would you sign a commit if you don't attest to intermediate unsigned >> commits? > > If I push A-B-C with a signed HEAD immediately after somebody pushes a > forged D, won't it look like I vouch for D? This can't happen unless D is already in your local repo before you commit locally. If someone pushes D immediately before you try to push A-B-C, your push will be rejected. At that point, you need to pull, rebase on top of D, and try again. You can always see the ancestor commits before signing the new comit. I haven't thought deeply on this, but it seems to me that Andy's suggestion has a lot of merit. We could choose to decide, as a matter of policy, that if you sign a commit with unsigned ancestor commit(s), you are effectively vouching for those ancestor commits. We could modify the commit hook to accept a push as long as the new HEAD commit is signed by an authorized key, disregarding the ancestors. There's one thing that each of us would need to be careful of, though. If we adopt this policy, then before signing a commit, we'd need to first verify that the parent commit has been signed, lest we accidentally vouch for an unsigned commit that we know nothing about. In practice, this could only happen if Savannah is compromised or there's a man-in-the-middle attack, because Savannah is supposed to ensure that pushes with unsigned HEADs are rejected. What do you think? Mark