From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932192Ab1JaImf (ORCPT ); Mon, 31 Oct 2011 04:42:35 -0400 Received: from mx2.mail.elte.hu ([157.181.151.9]:51497 "EHLO mx2.mail.elte.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754421Ab1JaIme (ORCPT ); Mon, 31 Oct 2011 04:42:34 -0400 Date: Mon, 31 Oct 2011 09:40:48 +0100 From: Ingo Molnar To: Linus Torvalds Cc: James Bottomley , Jeff Garzik , Andrew Morton , linux-ide@vger.kernel.org, LKML Subject: Re: [git patches] libata updates, GPG signed (but see admin notes) Message-ID: <20111031084048.GA11807@elte.hu> References: <20111026202235.GA20928@havoc.gtf.org> <1319969101.5215.20.camel@dabdike> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-ELTE-SpamScore: -2.0 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=-2.0 required=5.9 tests=AWL,BAYES_00 autolearn=no SpamAssassin version=3.3.1 -2.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 AWL AWL: From: address is in the auto white-list Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Linus Torvalds wrote: > That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive > pain in the butt. We need to automate this some sane way, both for > the sender and for the recipient. The most practical form would be if Git supported such oneliner pull requests: git pull git://foo.com bar.branch \ --pull-sha1 0acf00014bcfd71090c3b0d43c98e970108064e4 \ --gpg-by: "Ingo Molnar " \ --gpg-sig: 8a6f134afd1d212fe21345 maintainers could just paste them into a shell and it would abort if it's not trusted. The maintainer verifies the visible, 'Ingo Molnar' bit. The 8a6f134afd1d212fe21345 is a signed-by-Ingo-Molnar version of this content: git://foo.com bar.branch 0acf00014bcfd71090c3b0d43c98e970108064e4 And Git would verify that what ends up being pulled is indeed 0acf00014bcfd and also verifies that it was signed by me. [ If we are extra diligent/paranoid then beyond the sha1 we might even GPG sign the shortlog, or even the full raw log of all commits leading to the sha1: this introduces some Git shortlog and patch formatting version dependency though. Git could also double check foo.com's DNS coherency, or check it against a known-trusted whitelist of domain names specified in the maintainer's .gitconfig, as an extra layer. ] Doing it in this form would remove all the mail formatting madness - one could paste such a pull request into a shell straight away, from HTML email, from text email, from MIME email, etc. In fact i would trust such a Git based solution far more than any opaque, invisible tool that claims to have checked a signature with cooperation of my mail client (ha!). The only somewhat non-obvious bit is that Git should be *very* careful about its key ID and signature parsing strategy, to protect against social engineering attacks. For example neither this: --gpg-by: "Ingo Molnar " nor this: --pgp-by: "Ingo Molnar " malicious pull request should slip through in any fashion: - Git should only use keys that are in your ring of trust - not pull keys from the public keyring automatically and just check coherency of the pull request or such. [I'm sure people will be tempted to have such a feature - but that temptation should be resisted.] - Git should abort the moment it sees an unknown option Thanks, Ingo