RE: Lack of detached signatures - Carlos Martín Nieto

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Carlos Martín Nieto" <cmn@elego.de>
To: "Olsen, Alan R" <alan.r.olsen@intel.com>
Cc: Michael Witten <mfwitten@gmail.com>,
	Junio C Hamano <gitster@pobox.com>,
	Joseph Parmelee <jparmele@wildbear.com>,
	"git@vger.kernel.org" <git@vger.kernel.org>
Subject: RE: Lack of detached signatures
Date: Wed, 28 Sep 2011 09:41:49 +0200	[thread overview]
Message-ID: <1317195719.30267.4.camel@bee.lab.cmartin.tk> (raw)
In-Reply-To: <4B2793BF110AAB47AB0EE7B90897038516F63A7C@ORSMSX101.amr.corp.intel.com>

[-- Attachment #1: Type: text/plain, Size: 2077 bytes --]

On Wed, 2011-09-28 at 04:17 +0000, Olsen, Alan R wrote:
> [Sorry for the top posting. Outlook is evil.]
> 
> Detached signatures are created with gpg, not git.

Git delegates all the signing business to gpg.

> 
> What I would like to see in git would be signed commits. I have looked

Every single commit? That sounds very heavy. You might want to look at
signed pushes (signed push certificates), which were discussed in the
list some time the kernel.org intrusion.

Due to the way git calculates the hash for each object, signing a tag
means that you also sign every single commit up to that point (with all
their tree and blob objects).

>  at what it would take to make it work, but I don't have all the
> details worked out. (Certain merges and cherry-picks would not work
> very well.)

This is precisely because of the cryptographic hash that is used to make
sure that history doesn't get changed.

   cmn

> 
> -----Original Message-----
> From: git-owner@vger.kernel.org [mailto:git-owner@vger.kernel.org] On Behalf Of Michael Witten
> Sent: Tuesday, September 27, 2011 5:08 PM
> To: Junio C Hamano
> Cc: Joseph Parmelee; git@vger.kernel.org
> Subject: Re: Lack of detached signatures
> 
> On Wed, Sep 28, 2011 at 00:03, Junio C Hamano <gitster@pobox.com> wrote:
> > Joseph Parmelee <jparmele@wildbear.com> writes:
> >
> >> Under the present circumstances, and particularly considering the
> >> sensitivity of the git code itself, I would suggest that you implement
> >> signed detached digital signatures on all release tarballs.
> >
> > Well, signed tags are essentially detached signatures. People can verify
> > tarballs against them if they wanted to, although it is a bit cumbersome.
> 
> Aren't tarballs used to get git on machines that don't yet have git?
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> NrybXǧv^)޺{.n+ا\x17ܨ}Ơz&j:+v\azZ++zfh~iz\x1ew?&)ߢ^[f



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

next prev parent reply	other threads:[~2011-09-28  7:42 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-27 23:48 Lack of detached signatures Joseph Parmelee
2011-09-28  0:03 ` Junio C Hamano
2011-09-28  0:07   ` Michael Witten
2011-09-28  4:17     ` Olsen, Alan R
2011-09-28  7:41       ` Carlos Martín Nieto [this message]
2011-09-28 12:36         ` Joseph Parmelee
2011-09-28 16:45           ` Junio C Hamano
2011-09-28 16:55             ` Michael Witten
2011-09-28 16:59             ` Matthieu Moy
2011-09-28 22:25             ` Jeff King
2011-09-28 23:09               ` Ted Ts'o
2011-09-29  0:28                 ` Junio C Hamano
2011-09-29  1:59                   ` Ted Ts'o
2011-09-29  3:50                     ` Junio C Hamano
2011-09-29 13:18                       ` Ted Ts'o
2011-09-29 14:40                         ` Sverre Rabbelier
2011-09-29 14:50                           ` Ted Ts'o
2011-09-29 14:52                             ` Sverre Rabbelier
2011-09-29 16:47                         ` Joseph Parmelee
2011-09-29  1:29                 ` Joseph Parmelee
2011-09-29  1:41                 ` Jeff King
2011-09-29 20:31                 ` Olsen, Alan R
2011-09-28 22:40             ` Joseph Parmelee
2011-09-28 17:03       ` Ben Walton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1317195719.30267.4.camel@bee.lab.cmartin.tk \
    --to=cmn@elego.de \
    --cc=alan.r.olsen@intel.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=jparmele@wildbear.com \
    --cc=mfwitten@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).