From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: Re: =?utf-8?Q?=E2=80=98core-updates=E2=80=99?= merge is a squashed commit Date: Sun, 07 Aug 2016 02:16:11 -0400 Message-ID: <87twexums4.fsf@gnu.org> References: <20160802174821.GA29590@jasmine> <874m7297xg.fsf@gnu.org> <20160803040446.GA23535@jasmine> <871t253ith.fsf@gnu.org> <20160803172417.GA10236@jasmine> <878twd20ui.fsf@gnu.org> <20160803183911.GC11621@jasmine> <87wpjxy4ta.fsf_-_@gnu.org> <20160803211032.GA6034@jasmine> <87a8gtyntw.fsf@netris.org> <20160804082400.GA1638@solar> <87ziosyalv.fsf@netris.org> <87a8gso9p4.fsf@igalia.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34021) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWHOh-0002wZ-LB for guix-devel@gnu.org; Sun, 07 Aug 2016 02:17:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bWHOf-0002WU-HJ for guix-devel@gnu.org; Sun, 07 Aug 2016 02:17:18 -0400 In-Reply-To: <87a8gso9p4.fsf@igalia.com> (Andy Wingo's message of "Thu, 04 Aug 2016 17:06:15 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Andy Wingo Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, Aug 04, 2016 at 17:06:15 +0200, Andy Wingo wrote: > What's the rationale for requiring non-HEAD commits to be signed when > pushing? For me a signed HEAD implicitly signs all parent comments, in > my mental trust model anyway :) That could be a potentially daunting/impossible task for the person signing a commit. Aside from asserting one's identity, GPG-signed commits also (can) help in the event that the system of one of the Guix hackers with commit access is compromised. Attacking Savannah is one way to compromise the repo, but compromising one of the many Guix hackers' systems is another. If a commit is signed in the hacker's local repo, it cannot be manipulated by an attacker, nor can an attacker sign a new malicious commit. Unless, of course, the GPG key resides on the same box, the attacker can get a hold of it, and can use a keylogger/etc to get the passphrase. Smart cards help here. I also recommend against auto-signing commmits on rebase unless you first verify that each commit within that range has a valid signature beforehand. Not fool-proof, but nothing is. :) =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer https://mikegerwitz.com | GPG Key ID: 0x8EE30EAB --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXptIrAAoJEPIruBWO4w6rOLcQAMcZBlTezgfwx2NO/X9UJYAH 4cOyCKZ0NldK2/3XhrRd5kQJpEE3A5m86iHJ1OTik7b+/343oce+My+BVjj2M59D h6HutEioUrM8B9olychXTij0IhPcGV0XUxtHUTqI4mUtyzOuXp4y41RwXFa3J9vB WVze58cOPfGUBJrYSvZgpLQ4OisbAJXZbVnex+jsPFSYogDYamGWvQnzkAhSXxXM VC94lDe3HyqOhgbezuz3UBmrQzcrdsF0ZUSmJI9BfB5fuIURj2hYqZDSY/fBEXhO 2oGqgDBgHNNiXaUA2VgfCDX5KVcevWzyEXyPyS0qr9Yh5M9eJgZmNTiyTie8JtWj lJ/+AXxSbpGhXTTZwf36naWqEN/+iuMpAbvZFzupo0XuiAAItjTet/iH0OfLoC3Q h3b06lrUgar9ly6lWgirXQXran57kN1IsHam3KPSoE1PVcq7Fc3HhqDmfb6tlY5A +IpN6ZFYnsFneYL+LddKMeK57SufV3SJZAaSL7LCYjafC/chxa7hm/LBEGMYvEde XsIWhlZu5LLFh9N2c4p+1+ZYDSemVPogNTijUBHXOED6mAaNDBityj97Sh8ynZtq ZaJZGvh32GzzOf6KE2oVaDKgdk4VIUWS4O1vgHMY5fMMaoOjpM1jbD2bYTOproYI aND06RfJH1/wO3r5ZzCr =31Rp -----END PGP SIGNATURE----- --=-=-=--