From: Ted Ts'o <tytso@mit.edu>
To: Junio C Hamano <gitster@pobox.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
git@vger.kernel.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Jeff Garzik <jeff@garzik.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [git patches] libata updates, GPG signed (but see admin notes)
Date: Mon, 31 Oct 2011 16:30:59 -0400 [thread overview]
Message-ID: <20111031203059.GJ16825@thunk.org> (raw)
In-Reply-To: <7vy5w1ow90.fsf@alter.siamese.dyndns.org>
(removing linux-ide and linux-kernel)
On Mon, Oct 31, 2011 at 11:23:55AM -0700, Junio C Hamano wrote:
> On the other hand, the consumers of "Linus kernel" may want to say that
> they trust your tree and your tags because they can verify them with your
> GPG signature, but also they can independently verify the lieutenants'
> trees you pulled from are genuine. Keeping signed tags and publishing them
> is one way to make it possible, but 400 extra tags in 3 months feels like
> an approach with too much downside (i.e. noise) for that benefit.
I wouldn't put it as "we don't trust Linus's tree", because it's not
true. In general, we do trust Linus's tree. On the other hand, it's
useful if the proof which was submitted at the time of the push could
be verified by third parties.
Suppose the project wasn't Linus, but some other project, say, a
hypothetical Desktop system called Troll3. Let's assume that it's run
by a sole dictator, S. Crew Powerusers, who blindly assumes that any
tree on github is secure, and is confident he or she can detect social
engineering attacks caused by a bad guy grabbing a developer's SSH key
used to push to github, and who can fake a pull request to Linus that
looks real but is really originated by the bad guy. Let's assume
further that the pull request has a signed tag which could be used to
detect such forgeries, but because Mr. Powerusers can't be bothered to
check the tag, because he can't figure out how to update his GPG
keyring and besides, he hates crypto stuff --- and the bad guys know
this, and are good (Kevin Mitnick or better) at social engineering
attacks.
In this sort of scenario, it's useful if *other* people could
independently verify the Troll3 git tree via the crypto signatures,
even though the central maintainer couldn't be bothered to check the
crypto signatures.
Here's an idea.... what if the "signed push" information could be
embedded into the merge commit's description? That is, the
information could sent via a signed git tag, or some other mechanism,
but then part of the git merge would incorporate the GPG signature
into the merge commit's description field (and we could always create
a merge commit so there's a place to put the digital siganture). That
way, it's mostly out of the way, but it's in a well-defined place
where it will always easy to have a third party independently verify
the source of a set of commits in the git tree.
The problem with notes and tags is that they have to be pushed
separately, and might get lost; where as if they are stored in the
merge commit's description, they will always be there.
- Ted
next prev parent reply other threads:[~2011-10-31 20:31 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-26 20:22 [git patches] libata updates, GPG signed (but see admin notes) Jeff Garzik
2011-10-29 19:13 ` Valdis.Kletnieks
2011-10-29 19:27 ` Jeff Garzik
2011-10-30 10:05 ` James Bottomley
2011-10-30 17:12 ` Linus Torvalds
2011-10-31 8:19 ` James Bottomley
2011-10-31 15:53 ` Linus Torvalds
2011-10-31 18:23 ` Junio C Hamano
2011-10-31 20:30 ` Ted Ts'o [this message]
2011-10-31 20:53 ` Junio C Hamano
2011-10-31 22:18 ` Linus Torvalds
2011-10-31 22:20 ` H. Peter Anvin
2011-10-31 22:30 ` Linus Torvalds
2011-10-31 22:33 ` H. Peter Anvin
2011-10-31 22:38 ` Linus Torvalds
2011-10-31 22:51 ` Junio C Hamano
2011-10-31 22:56 ` Linus Torvalds
2011-11-02 9:11 ` Ingo Molnar
2011-11-02 11:20 ` Jochen Striepe
2011-10-31 23:09 ` Junio C Hamano
2011-10-31 22:44 ` Junio C Hamano
2011-10-31 22:47 ` H. Peter Anvin
2011-10-31 22:49 ` Ted Ts'o
2011-10-31 22:51 ` H. Peter Anvin
2011-10-31 22:51 ` H. Peter Anvin
2011-10-31 22:51 ` H. Peter Anvin
2011-10-31 22:52 ` Linus Torvalds
2011-10-31 22:54 ` H. Peter Anvin
2011-10-31 23:03 ` Linus Torvalds
2011-11-01 5:39 ` James Bottomley
2011-10-31 23:55 ` Jeff Garzik
2011-11-01 0:42 ` H. Peter Anvin
2011-10-31 22:33 ` Jiri Kosina
2011-11-01 19:47 ` Junio C Hamano
2011-11-01 21:21 ` Linus Torvalds
2011-11-01 21:56 ` Junio C Hamano
2011-11-02 20:04 ` Linus Torvalds
2011-11-02 21:13 ` Junio C Hamano
2011-11-03 1:02 ` Shawn Pearce
2011-11-03 1:19 ` Linus Torvalds
2011-11-03 1:45 ` Linus Torvalds
2011-11-03 2:14 ` Shawn Pearce
2011-11-03 2:25 ` Linus Torvalds
2011-11-03 3:22 ` Jochen Striepe
2011-11-03 4:13 ` Linus Torvalds
2011-11-10 13:51 ` David Woodhouse
2011-11-10 15:23 ` Marc Branchaud
2011-11-10 15:23 ` Marc Branchaud
2011-11-03 2:31 ` Linus Torvalds
2011-11-03 2:19 ` Linus Torvalds
2011-11-04 20:16 ` Junio C Hamano
2011-11-04 21:22 ` Junio C Hamano
2011-11-04 23:10 ` Linus Torvalds
2011-11-05 3:55 ` Jeff King
2011-11-05 4:37 ` Junio C Hamano
2011-11-03 18:16 ` Junio C Hamano
2011-11-03 18:52 ` Junio C Hamano
2011-11-03 19:09 ` Linus Torvalds
2011-11-04 14:59 ` Ted Ts'o
2011-11-04 15:14 ` Linus Torvalds
2011-11-04 15:14 ` Linus Torvalds
2011-11-04 15:14 ` Linus Torvalds
2011-11-07 7:52 ` Valdis.Kletnieks
2011-11-07 16:24 ` Linus Torvalds
2011-11-05 6:36 ` Junio C Hamano
2011-11-05 16:41 ` Linus Torvalds
2011-11-05 23:49 ` Junio C Hamano
2011-11-06 0:53 ` Linus Torvalds
2011-11-09 17:26 ` Junio C Hamano
2011-11-10 8:02 ` Johan Herland
2011-11-10 15:15 ` Junio C Hamano
2011-11-10 16:03 ` Johan Herland
2011-11-10 17:18 ` Junio C Hamano
2011-11-11 1:17 ` Johan Herland
2011-11-11 5:26 ` Junio C Hamano
2011-11-10 21:41 ` Junio C Hamano
2011-11-03 19:06 ` Linus Torvalds
2011-11-04 21:12 ` Junio C Hamano
2011-11-04 23:45 ` Linus Torvalds
2011-11-03 2:55 ` Jeff King
2011-11-03 3:16 ` Robin H. Johnson
2011-11-03 18:29 ` Junio C Hamano
2011-11-01 22:39 ` Ted Ts'o
2011-11-02 23:34 ` Junio C Hamano
2011-11-02 23:41 ` david
2011-11-02 23:42 ` Linus Torvalds
2011-11-10 13:52 ` David Woodhouse
2011-11-02 10:53 ` Michael J Gruber
2011-11-02 18:58 ` Junio C Hamano
2011-11-02 21:05 ` Michael J Gruber
2011-10-31 8:40 ` Ingo Molnar
2011-10-31 22:03 ` Junio C Hamano
2011-10-31 8:40 ` Ingo Molnar
2011-10-31 21:46 ` H. Peter Anvin
2011-10-31 22:21 ` Linus Torvalds
2011-10-31 22:23 ` H. Peter Anvin
2011-10-31 22:34 ` Linus Torvalds
2011-11-01 2:17 ` david
2011-11-01 3:25 ` H. Peter Anvin
2011-11-01 3:42 ` Linus Torvalds
2011-11-01 4:25 ` hpanvin@gmail.com
2011-11-01 5:19 ` James Bottomley
2011-11-01 13:13 ` Henrique de Moraes Holschuh
2011-11-01 17:06 ` Tony Luck
2011-11-01 17:15 ` Linus Torvalds
2011-11-12 19:31 ` Felipe Contreras
2011-11-01 5:03 ` david
2011-11-01 13:32 ` Theodore Tso
2011-11-01 3:31 ` Linus Torvalds
2011-11-01 4:58 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111031203059.GJ16825@thunk.org \
--to=tytso@mit.edu \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jeff@garzik.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.