From: Ingo Molnar <mingo@elte.hu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Jeff Garzik <jeff@garzik.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-ide@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [git patches] libata updates, GPG signed (but see admin notes)
Date: Mon, 31 Oct 2011 09:40:48 +0100 [thread overview]
Message-ID: <20111031084048.GA11807@elte.hu> (raw)
In-Reply-To: <CA+55aFx1NGWfNJAKDTvZfsHDDKiEtS4t4RydSgHurBeyGPyhXg@mail.gmail.com>
* Linus Torvalds <torvalds@linux-foundation.org> wrote:
> That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive
> pain in the butt. We need to automate this some sane way, both for
> the sender and for the recipient.
The most practical form would be if Git supported such oneliner pull
requests:
git pull git://foo.com bar.branch \
--pull-sha1 0acf00014bcfd71090c3b0d43c98e970108064e4 \
--gpg-by: "Ingo Molnar <mingo@kernel.org>" \
--gpg-sig: 8a6f134afd1d212fe21345
maintainers could just paste them into a shell and it would abort if
it's not trusted. The maintainer verifies the visible, 'Ingo Molnar'
bit. The 8a6f134afd1d212fe21345 is a signed-by-Ingo-Molnar version of
this content:
git://foo.com bar.branch 0acf00014bcfd71090c3b0d43c98e970108064e4
And Git would verify that what ends up being pulled is indeed
0acf00014bcfd and also verifies that it was signed by me.
[ If we are extra diligent/paranoid then beyond the sha1 we might
even GPG sign the shortlog, or even the full raw log of all commits
leading to the sha1: this introduces some Git shortlog and patch
formatting version dependency though.
Git could also double check foo.com's DNS coherency, or check it
against a known-trusted whitelist of domain names specified in the
maintainer's .gitconfig, as an extra layer. ]
Doing it in this form would remove all the mail formatting madness -
one could paste such a pull request into a shell straight away, from
HTML email, from text email, from MIME email, etc.
In fact i would trust such a Git based solution far more than any
opaque, invisible tool that claims to have checked a signature with
cooperation of my mail client (ha!).
The only somewhat non-obvious bit is that Git should be *very*
careful about its key ID and signature parsing strategy, to protect
against social engineering attacks.
For example neither this:
--gpg-by: "Ingo Molnar <mingo@kernal.org>"
nor this:
--pgp-by: "Ingo Molnar <mingo@kernel.org>"
malicious pull request should slip through in any fashion:
- Git should only use keys that are in your ring of trust - not pull
keys from the public keyring automatically and just check
coherency of the pull request or such. [I'm sure people will be
tempted to have such a feature - but that temptation should be
resisted.]
- Git should abort the moment it sees an unknown option
Thanks,
Ingo
next prev parent reply other threads:[~2011-10-31 8:40 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-26 20:22 [git patches] libata updates, GPG signed (but see admin notes) Jeff Garzik
2011-10-29 19:13 ` Valdis.Kletnieks
2011-10-29 19:27 ` Jeff Garzik
2011-10-30 10:05 ` James Bottomley
2011-10-30 17:12 ` Linus Torvalds
2011-10-31 8:19 ` James Bottomley
2011-10-31 15:53 ` Linus Torvalds
2011-10-31 18:23 ` Junio C Hamano
2011-10-31 20:30 ` Ted Ts'o
2011-10-31 20:53 ` Junio C Hamano
2011-10-31 22:18 ` Linus Torvalds
2011-10-31 22:20 ` H. Peter Anvin
2011-10-31 22:30 ` Linus Torvalds
2011-10-31 22:33 ` H. Peter Anvin
2011-10-31 22:38 ` Linus Torvalds
2011-10-31 22:51 ` Junio C Hamano
2011-10-31 22:56 ` Linus Torvalds
2011-11-02 9:11 ` Ingo Molnar
2011-11-02 11:20 ` Jochen Striepe
2011-10-31 23:09 ` Junio C Hamano
2011-10-31 22:44 ` Junio C Hamano
2011-10-31 22:47 ` H. Peter Anvin
2011-10-31 22:49 ` Ted Ts'o
2011-10-31 22:51 ` H. Peter Anvin
2011-10-31 22:51 ` H. Peter Anvin
2011-10-31 22:51 ` H. Peter Anvin
2011-10-31 22:52 ` Linus Torvalds
2011-10-31 22:54 ` H. Peter Anvin
2011-10-31 23:03 ` Linus Torvalds
2011-11-01 5:39 ` James Bottomley
2011-10-31 23:55 ` Jeff Garzik
2011-11-01 0:42 ` H. Peter Anvin
2011-10-31 22:33 ` Jiri Kosina
2011-11-01 19:47 ` Junio C Hamano
2011-11-01 21:21 ` Linus Torvalds
2011-11-01 21:56 ` Junio C Hamano
2011-11-02 20:04 ` Linus Torvalds
2011-11-02 21:13 ` Junio C Hamano
2011-11-03 1:02 ` Shawn Pearce
2011-11-03 1:19 ` Linus Torvalds
2011-11-03 1:45 ` Linus Torvalds
2011-11-03 2:14 ` Shawn Pearce
2011-11-03 2:25 ` Linus Torvalds
2011-11-03 3:22 ` Jochen Striepe
2011-11-03 4:13 ` Linus Torvalds
2011-11-10 13:51 ` David Woodhouse
2011-11-10 15:23 ` Marc Branchaud
2011-11-10 15:23 ` Marc Branchaud
2011-11-03 2:31 ` Linus Torvalds
2011-11-03 2:19 ` Linus Torvalds
2011-11-04 20:16 ` Junio C Hamano
2011-11-04 21:22 ` Junio C Hamano
2011-11-04 23:10 ` Linus Torvalds
2011-11-05 3:55 ` Jeff King
2011-11-05 4:37 ` Junio C Hamano
2011-11-03 18:16 ` Junio C Hamano
2011-11-03 18:52 ` Junio C Hamano
2011-11-03 19:09 ` Linus Torvalds
2011-11-04 14:59 ` Ted Ts'o
2011-11-04 15:14 ` Linus Torvalds
2011-11-04 15:14 ` Linus Torvalds
2011-11-04 15:14 ` Linus Torvalds
2011-11-07 7:52 ` Valdis.Kletnieks
2011-11-07 16:24 ` Linus Torvalds
2011-11-05 6:36 ` Junio C Hamano
2011-11-05 16:41 ` Linus Torvalds
2011-11-05 23:49 ` Junio C Hamano
2011-11-06 0:53 ` Linus Torvalds
2011-11-09 17:26 ` Junio C Hamano
2011-11-10 8:02 ` Johan Herland
2011-11-10 15:15 ` Junio C Hamano
2011-11-10 16:03 ` Johan Herland
2011-11-10 17:18 ` Junio C Hamano
2011-11-11 1:17 ` Johan Herland
2011-11-11 5:26 ` Junio C Hamano
2011-11-10 21:41 ` Junio C Hamano
2011-11-03 19:06 ` Linus Torvalds
2011-11-04 21:12 ` Junio C Hamano
2011-11-04 23:45 ` Linus Torvalds
2011-11-03 2:55 ` Jeff King
2011-11-03 3:16 ` Robin H. Johnson
2011-11-03 18:29 ` Junio C Hamano
2011-11-01 22:39 ` Ted Ts'o
2011-11-02 23:34 ` Junio C Hamano
2011-11-02 23:41 ` david
2011-11-02 23:42 ` Linus Torvalds
2011-11-10 13:52 ` David Woodhouse
2011-11-02 10:53 ` Michael J Gruber
2011-11-02 18:58 ` Junio C Hamano
2011-11-02 21:05 ` Michael J Gruber
2011-10-31 8:40 ` Ingo Molnar
2011-10-31 22:03 ` Junio C Hamano
2011-10-31 8:40 ` Ingo Molnar [this message]
2011-10-31 21:46 ` H. Peter Anvin
2011-10-31 22:21 ` Linus Torvalds
2011-10-31 22:23 ` H. Peter Anvin
2011-10-31 22:34 ` Linus Torvalds
2011-11-01 2:17 ` david
2011-11-01 3:25 ` H. Peter Anvin
2011-11-01 3:42 ` Linus Torvalds
2011-11-01 4:25 ` hpanvin@gmail.com
2011-11-01 5:19 ` James Bottomley
2011-11-01 13:13 ` Henrique de Moraes Holschuh
2011-11-01 17:06 ` Tony Luck
2011-11-01 17:15 ` Linus Torvalds
2011-11-12 19:31 ` Felipe Contreras
2011-11-01 5:03 ` david
2011-11-01 13:32 ` Theodore Tso
2011-11-01 3:31 ` Linus Torvalds
2011-11-01 4:58 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111031084048.GA11807@elte.hu \
--to=mingo@elte.hu \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=jeff@garzik.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.