From: "David A. Wheeler" <dwheeler@dwheeler.com>
To: Linus Torvalds <torvalds@osdl.org>
Cc: David Woodhouse <dwmw2@infradead.org>,
Jan Dittmer <jdittmer@ppp0.net>, Greg KH <greg@kroah.com>,
Git Mailing List <git@vger.kernel.org>,
Petr Baudis <pasky@ucw.cz>
Subject: Suggestion: generalize signed tags into "assertion objects"
Date: Sat, 23 Apr 2005 15:30:42 -0400 [thread overview]
Message-ID: <426AA262.3050501@dwheeler.com> (raw)
In-Reply-To: <Pine.LNX.4.58.0504231010580.2344@ppc970.osdl.org>
Linus Torvalds wrote:
> The git-pasky "just remember the tag name" approach certainly works, but I
> was literally thinking o fsetting up some signing system, so that a tag
> doesn't just say "commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 is
> v2.6.12-rc2", but it would actually give stronger guarantees, ie it would
> say "Linus says that commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 is
> his 2.6.12-rc2 release".
>
> That's something fundamentally more powerful, and it's also something that
> I actually can integrate better into git.
>
> In other words, I actually want to create "tag objects", the same way we
> have "commit objects". A tag object points to a commit object, but in
> addition it contains the tag name _and_ the digital signature of whoever
> created the tag.
I'm thinking out loud here, but maybe instead of just "tag objects",
how about broadening them into "assertion objects" that include
(1) a claim and (2) a signature. Monotone, for example,
can do this -- it has a generalized mechanism for signed assertions.
A claim might be that some commit is a tag
("Linus Torvalds says this is tag 2.6.12-rc2") or even "I did this"
("Greg KH really committed this"). You could create the latter objects
when you push (just sign the head commit), and that would make it
really easy to do checks across an entire repository (who said what?).
Currently people can send signed emails that they really DID
commit something, but then that data's not available to everyone else.
Signed assertions about commits would suddenly make it possible for
arbitrary people to detect & counter subverted repositories (if they
have the public key list); fsck-cache could check signatures as it went.
With a more generalized assertion mechanism,
you could make the same assertion multiple times, e.g., if
your key gets captured, you could go back and re-sign with a new key,
simply creating a new assertion object. You can also make
assertions about multiple objects (e.g., assert some relationship
between far-removed commits). I'd expect assertion
objects to be stored by their hash, just like any other object.
> Then you just distribute these tag objects along with all the other
> objects, and fsck-cache can pick them up even without any other knowledge,
> but normally you'd actually point to them some other way too, ie you could
> have the ".git/tags/xxx" files have the pointers, but now they are
> _validated_ pointers.
Yes, that makes sense. I think .git/tags/xxx should point to
the assertion objects that claim they are tags; you can then check
if you accept the assertion object's signature when you try to use it
(and locally cache that acceptance once you've checked the signature).
For generalized assertion objects, you need a way to travel FROM
the object(s) being described TO the assertion object.
A simple method might be to create subdirectories with the name
derived from the object(s) being described, and inside the
subdirectory have a set of files that have the hashes of
the assertion objects. E.G., this kind of structure
00/
10f32aca7ba78e2cd95dcfedee0e6329edb735 (commit object)
10f32aca7ba78e2cd95dcfedee0e6329edb735.d/
1038e8b8e04b287ec876594cbab9df4af09ce131 ->
../../1038e8b8e04b287ec876594cbab9df4af09ce131
10/
38e8b8e04b287ec876594cbab9df4af09ce131 (assertion object)
There's no reason you can't point to assertions from
multiple places, which would make them cheap to find when needed.
One problem with symlinks is that some dopey filesystems
don't support them :-(. In this case, though, if they got copied
multiple times they'd just waste space & not interfere
with meaning, since they'd all be static read-only.
An alternative would be 0-length files whose names are the hashes.
...
> Somehting like
>
> commit a2755a80f40e5794ddc20e00f781af9d6320fafb
> tag v2.6.12-rc3
> signer Linus Torvalds
>
> This is my official original 2.6.12-rc2 release
>
> -----BEGIN PGP SIGNATURE-----
> ....
> -----END PGP SIGNATURE-----
--- David A. Wheeler
next prev parent reply other threads:[~2005-04-23 19:24 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200504210422.j3L4Mo8L021495@hera.kernel.org>
[not found] ` <1114079347.6277.29.camel@laptopd505.fenrus.org>
2005-04-21 12:23 ` Git-commits mailing list feed David Woodhouse
[not found] ` <42674724.90005@ppp0.net>
[not found] ` <20050422002922.GB6829@kroah.com>
[not found] ` <426A4669.7080500@ppp0.net>
[not found] ` <1114266083.3419.40.camel@localhost.localdomain>
[not found] ` <426A5BFC.1020507@ppp0.net>
[not found] ` <1114266907.3419.43.camel@localhost.localdomain>
2005-04-23 17:31 ` Linus Torvalds
2005-04-23 17:45 ` Linus Torvalds
2005-04-23 17:50 ` Fabian Franz
2005-04-23 23:16 ` Andreas Gal
2005-04-23 17:50 ` Sean
2005-04-23 19:02 ` Thomas Glanzmann
2005-04-23 18:14 ` Sean
2005-04-23 19:34 ` Linus Torvalds
2005-04-23 17:54 ` Thomas Glanzmann
2005-04-23 18:30 ` Linus Torvalds
2005-04-23 18:06 ` Sean
2005-04-23 19:38 ` Linus Torvalds
2005-04-23 18:44 ` Sean
2005-04-23 19:58 ` Linus Torvalds
2005-04-23 19:57 ` Junio C Hamano
2005-04-23 20:23 ` Linus Torvalds
2005-04-23 20:24 ` Junio C Hamano
2005-04-24 23:25 ` Paul Jakma
2005-04-24 23:57 ` Paul Jakma
2005-04-25 1:01 ` David A. Wheeler
2005-04-25 1:35 ` Paul Jakma
2005-04-25 2:13 ` David A. Wheeler
2005-04-25 3:03 ` Paul Jakma
2005-04-25 3:08 ` Paul Jakma
2005-04-25 1:50 ` Linus Torvalds
2005-04-25 2:17 ` Fabian Franz
2005-04-25 2:39 ` Andreas Gal
2005-04-25 2:44 ` Linus Torvalds
2005-04-25 3:32 ` David A. Wheeler
2005-04-25 9:31 ` David Greaves
2005-04-25 3:08 ` David A. Wheeler
2005-04-25 3:24 ` Paul Jakma
2005-04-25 3:40 ` Paul Jakma
2005-04-25 3:47 ` Paul Jakma
2005-04-25 4:39 ` [PATCH] New option (-H) for rpush/rpull to update HEAD Andreas Gal
2005-04-25 4:47 ` Daniel Barkalow
2005-04-25 4:55 ` Andreas Gal
2005-04-25 5:18 ` Daniel Barkalow
2005-04-25 2:34 ` Git-commits mailing list feed Matt Domsch
2005-04-25 2:43 ` Jan Harkes
2005-04-23 18:39 ` Thomas Glanzmann
2005-04-23 18:44 ` Thomas Glanzmann
2005-04-23 18:46 ` Jan Harkes
2005-04-23 20:01 ` Linus Torvalds
2005-04-23 18:54 ` Junio C Hamano
2005-04-23 18:34 ` Jan Harkes
2005-04-23 19:30 ` Linus Torvalds
2005-04-23 20:49 ` Jan Harkes
2005-04-23 21:28 ` Git transfer protocols (was: Re: Git-commits mailing list feed) Mike Taht
2005-04-23 22:22 ` Jan Harkes
2005-04-23 23:29 ` Git-commits mailing list feed Linus Torvalds
2005-04-23 19:30 ` David A. Wheeler [this message]
2005-04-23 20:15 ` Jeff Garzik
2005-04-25 1:26 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=426AA262.3050501@dwheeler.com \
--to=dwheeler@dwheeler.com \
--cc=dwmw2@infradead.org \
--cc=git@vger.kernel.org \
--cc=greg@kroah.com \
--cc=jdittmer@ppp0.net \
--cc=pasky@ucw.cz \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).