Re: [RFC/PATCH v1] Add Travis CI support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: larsxschneider@gmail.com, git@vger.kernel.org
Subject: Re: [RFC/PATCH v1] Add Travis CI support
Date: Fri, 25 Sep 2015 11:29:31 -0700	[thread overview]
Message-ID: <xmqqa8sa4ak4.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <20150925162615.GF8417@sigill.intra.peff.net> (Jeff King's message of "Fri, 25 Sep 2015 12:26:16 -0400")

Jeff King <peff@peff.net> writes:

> If the point is for clients not to trust GitHub, though, it doesn't
> really matter what GitHub does with the cert, as long as it is put
> somewhere that clients know to get it.

Correct.  A spiffy Web interface that says "Click this button and we
show you the output of GPG signature verification" would not help.
The push certificate is all about allowing third-parties to conduct
an independent audit, so anything the hosting site computes using
the certificates does not add value, unless the certificates
themselves are exported for such an independent audit.

If somebody found a change to "git push" that makes it pick the
user's wallet and sends a few coins every time it talks to the
hosting site, the hosting site can say it is not their doing by
showing that the tip of the commit that contains such a change came
from me, and it is not their evil doing.  Push certificates help the
hosting site prove their innocence, and those who do not trust the
site can still be convinced by the claim.

There is one scenario that signed push would not help very much,
though.  The hosting site cannot deny that it did not receive a
push.

Following such an incident (perhaps the evil change came as a side
effect of a innocuous looking patch), I would push a commit that
fixes such an issue out to the hosting site (with signed commit).
But if the hosting site deliberately keeps the tip of the branch
unmodified (e.g. you can appear to accept the push to the pusher,
without updating what is served to the general public), there will
be more people who will fetch from the hosting site to contaminate
their copy of git and the damage will spread in the meantime.

When I finally complain to the hosting site that it is deliberately
rejecting the fix that would rob them the illicit revenue source, it
does not help the hosting site to keep copies of push certificates
when it wants to refute such a complaint.  "We publish all push
certificates and there is no record that gitster already tried to
fix the issue" has to be taken with faith in that scenario.

So push certificate is not perfect.  But it does protect hosting
sites and projects hosted on them.

>  So I wonder if it would be
> helpful to have a microformat that the client would use to look at this.
> E.g., it would fetch the cert tree, then confirm that the current ref
> values match the latest cert.

Yeah, that is one possibility.  Just a single flat file that
concatenates all the push cert in the received order would do as an
export format, too ;-)

next prev parent reply	other threads:[~2015-09-25 18:29 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-24 21:43 [RFC/PATCH v1] Add Travis CI support larsxschneider
2015-09-24 21:43 ` larsxschneider
2015-09-25  0:41 ` Junio C Hamano
2015-09-25  3:14   ` Dennis Kaarsemaker
2015-09-25  7:27     ` Johannes Schindelin
2015-09-25  8:05       ` Luke Diamand
2015-09-25 17:41         ` Junio C Hamano
2015-09-26 16:40         ` Lars Schneider
2015-09-27 12:11         ` Matthieu Moy
2015-09-28 17:21           ` Stefan Beller
2015-09-28 17:37           ` Matthieu Moy
2015-09-28 18:47             ` Junio C Hamano
2015-09-28 19:07               ` Matthieu Moy
2015-10-03 22:23               ` Roberto Tyley
2015-10-04  1:27                 ` Junio C Hamano
2015-10-04  1:37                   ` Junio C Hamano
2015-10-04  8:13                     ` Dennis Kaarsemaker
2015-10-04 12:51                     ` Johannes Schindelin
2015-10-04  7:59                   ` Matthieu Moy
2015-10-04 17:46                     ` Junio C Hamano
2015-10-04 18:06                       ` Dennis Kaarsemaker
2015-10-05  6:54                         ` Matthieu Moy
2015-10-05 16:51                         ` Junio C Hamano
2015-10-12  8:03                       ` Sebastian Schuberth
2015-10-04 17:59                     ` Junio C Hamano
2015-10-04  3:34                 ` Jeff King
2015-10-02 16:40     ` Sebastian Schuberth
2015-09-25 16:26   ` Jeff King
2015-09-25 18:29     ` Junio C Hamano [this message]
2015-09-25 18:52       ` Jeff King
2015-09-26 21:54         ` Shawn Pearce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqqa8sa4ak4.fsf@gitster.mtv.corp.google.com \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=larsxschneider@gmail.com \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.