From: Jeff King <peff@peff.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, "Shawn O. Pearce" <spearce@spearce.org>
Subject: Re: [PATCH 2/2] push -s: skeleton
Date: Fri, 9 Sep 2011 11:34:41 -0400 [thread overview]
Message-ID: <20110909153441.GB28480@sigill.intra.peff.net> (raw)
In-Reply-To: <7v7h5iwub9.fsf@alter.siamese.dyndns.org>
On Thu, Sep 08, 2011 at 03:19:54PM -0700, Junio C Hamano wrote:
> Jeff King <peff@peff.net> writes:
>
> > Yeah, it is a potential problem, but it just seems wrong to put too much
> > policy work onto the server.
>
> My take on it is somewhat different. The only thing in the end result we
> want to see is that the pushed commits are annotated with GPG signatures
> in the notes tree, and there is no reason for us to cast in stone that
> there has to be any significance in the commit history of the notes tree.
Hmm. Is order really irrelevant? If you push a commit to master, moving
it from X to Y, then push-rewind it back to X, then push a new commit Z,
how do I cryptographically determine the correct final state of master?
I'll see two push-certs, one going X..Y and one X..Z. They'll have
timestamps, which can be used for ordering. But what if the first and
third actions above are done by different people. Now you're trusting
that their clocks are synced to order them properly.
Note that simply keeping an unsigned but ordered notes history doesn't
solve this problem, either; you'd probably want a parent pointer in your
push cert saying "and this is the previous push cert I am based on".
And maybe this is a use case we don't care about. Maybe it's enough for
the push-cert to say "at some point in time, I thought it was a good
idea to push these commits into master; signed, me".
But I'm not really clear on exactly what the security goals are. The
series you sent looks interesting, but I haven't seen the verification
side of these signatures. What are they going to be used for? What
guarantees are we attempting to provide? For that matter, what is our
threat model? What are attackers capable of?
> In a busy hosting site that has many branches being pushed simultaneously,
> it is entirely plausible that the server side may just want to store each
> received push certificate in a new flat file in a filesystem, and have
> asynchronous process sweep the new certificates to update the notes tree,
> possibly creating a single notes tree commit that records updates by
> multiple pushes, for performance purposes, in its implementation of
> record_signed_push() in receive-pack.
OK, I see. It is not "the server can do whatever it likes with the
information" as much as "the server can do whatever it likes, but at the
very least should eventually create a notes tree of a given form".
-Peff
next prev parent reply other threads:[~2011-09-09 15:34 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-07 20:56 [PATCH 1/2] send-pack: typofix error message Junio C Hamano
2011-09-07 20:57 ` [PATCH 2/2] push -s: skeleton Junio C Hamano
2011-09-07 21:18 ` Shawn Pearce
2011-09-07 22:21 ` Junio C Hamano
2011-09-07 23:23 ` Shawn Pearce
2011-09-08 16:24 ` Junio C Hamano
2011-09-07 22:21 ` Nguyen Thai Ngoc Duy
2011-09-07 22:40 ` Junio C Hamano
2011-09-07 23:55 ` Robin H. Johnson
2011-09-08 20:03 ` Jeff King
2011-09-09 1:30 ` Robin H. Johnson
2011-09-09 16:03 ` Joey Hess
2011-09-09 16:14 ` Drew Northup
2011-09-09 19:12 ` Jeff King
2011-09-08 4:37 ` [PATCH 3/2] Split GPG interface into its own helper library Junio C Hamano
2011-09-08 4:38 ` [PATCH 4/2] push -s: send signed push certificate Junio C Hamano
2011-09-08 5:38 ` [PATCH 5/2] push -s: receiving end Junio C Hamano
2011-09-08 9:31 ` Johan Herland
2011-09-08 16:43 ` Junio C Hamano
2011-09-08 19:35 ` [PATCH 2/2] push -s: skeleton Jeff King
2011-09-08 20:48 ` Junio C Hamano
2011-09-08 21:02 ` Jeff King
2011-09-08 22:19 ` Junio C Hamano
2011-09-09 15:34 ` Jeff King [this message]
2011-09-09 17:32 ` Junio C Hamano
[not found] ` <CAJo=hJsQvRN3Z0xJg9q37Km1g_1qUdJKNQ6n8=a9mv3YjugyVw@mail.gmail.com>
2011-09-09 15:22 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110909153441.GB28480@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).