From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ingo Molnar Subject: Re: [git patches] libata updates, GPG signed (but see admin notes) Date: Wed, 2 Nov 2011 10:11:26 +0100 Message-ID: <20111102091126.GG18903@elte.hu> References: <1320049150.8283.19.camel@dabdike> <7vy5w1ow90.fsf@alter.siamese.dyndns.org> <4EAF1F40.3030907@zytor.com> <4EAF2245.90308@zytor.com> <7vvcr4ojvp.fsf@alter.siamese.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Linus Torvalds Cc: Junio C Hamano , "H. Peter Anvin" , git@vger.kernel.org, James Bottomley , Jeff Garzik , Andrew Morton , linux-ide@vger.kernel.org, LKML List-Id: linux-ide@vger.kernel.org * Linus Torvalds wrote: > And the receiving side would just do the "git pull" and > automatically just get notified that "Yes, this push has been > signed by key Xyz Abcdef" If this approach is used then it would be nice to have a .gitconfig switch to require trusted pulls by default: to not allow doing non-signed or untrusted pulls accidentally, or for Git to warn in a visible, hard to miss way if there's a non-signed pull. This adds social uncertainty (and an element of a silent alarm) to a realistic attack: the attacker wouldnt know exactly how the puller checks signed pull requests, it's kept private. Thanks, Ingo