From: Junio C Hamano <gitster@pobox.com>
To: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>,
Git l10n discussion group <git-l10n@googlegroups.com>,
Jiang Xin <worldhello.net@gmail.com>
Subject: Re: OK to submit l10n PR with signed commits?
Date: Thu, 19 Dec 2024 06:46:56 -0800 [thread overview]
Message-ID: <xmqqzfkrlogv.fsf@gitster.g> (raw)
In-Reply-To: <xmqqh670nrb9.fsf@gitster.g> (Junio C. Hamano's message of "Wed, 18 Dec 2024 22:02:34 -0800")
Junio C Hamano <gitster@pobox.com> writes:
>>> Instead of talking first about drawbacks, we should consider the
>>> upsides. Why would we even want to see your GPG signature, when
>>> most of us do not even have your GPG public key in our keychains?
>>>
>>> What are we trying to achieve by doing this?
>>
>> Just to ensure that PR commits are really from the respective authors.
>
> Yeah, but my point was that it would not ensure, because practically
> nobody has ways to validate the signature was created with your
> private key, and public keyservers have been tainted long time ago
> with fake keys with the same fingerprint, so would not work as a
> good way to obtain your public key and be sure it is yours.
I think I should rethink this.
Even though I think it is fair to say that more than 99% of people
won't have your public key and even if somebody gave them saying
"this is Bagas' key", they do not have a way to independently verify
it is truly your key (and I think the same thing can be said of my
key). But in today's world, there are a few places that it does not
matter all that much that you and I do not have each others' keys:
hosting sites.
I think both GitHub and GitLab lets you register your public key, so
when they are about to show a commit (or a tag for that matter),
they can
- notice it is signed;
- look up the author/tagger/committer ident of the Git object;
- look up the ident in their user database;
- find the key(s) of that user account; and
- verify the signature using the key(s).
and display the user account that the Git object is signed by a key
registered to it.
Now there may be ways to contaminate hosting sites with fake keys
that have the same fingerprints as the real ones registered to fake
user accounts, and that may render such a feature at the hosting
sites less useful. I haven't thought through the security
implications.
Of course, $CORP or other organizations can have their members
register their public keys and do pretty much the same thing within
their closed world. Safeguarding the public key database is their
problem so I won't be worried about, unlike hosting sites where
practically anybody and their dogs can create accounts ;-).
Thanks.
next prev parent reply other threads:[~2024-12-19 14:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-18 10:08 OK to submit l10n PR with signed commits? Bagas Sanjaya
2024-12-18 14:49 ` Junio C Hamano
2024-12-19 2:10 ` Bagas Sanjaya
2024-12-19 6:02 ` Junio C Hamano
2024-12-19 11:56 ` Bagas Sanjaya
2024-12-19 14:46 ` Junio C Hamano [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-12-19 17:06 Caleb White
2024-12-19 17:27 ` Kristoffer Haugsbakk
2024-12-20 1:08 ` Caleb White
2024-12-20 7:39 ` Kristoffer Haugsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqzfkrlogv.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=bagasdotme@gmail.com \
--cc=git-l10n@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=worldhello.net@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).