Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Tue, 22 Dec 2020 18:32:43 -0800
Steffen Nurpmeso wrote this message on Fri, Dec 18, 2020 at 19:28 +0100:
> Brooks Davis wrote in
>  <20201218175241.GA72552_at_spindle.one-eyed-alien.net>:
>  |On Thu, Dec 17, 2020 at 05:53:20PM -0800, Thomas Mueller wrote:
>  |>>> I hope we don't have to start signing all commits.  saltstack/salt has
>  |>>> that policy, and it's extremely annoying.
>  |> 
>  |>> Have to? Not currently. As with all process changes, there will be
>  |>> community discussion around the different points.
>  |> 
>  |>> Warner
>  |> 
>  |> I hope not!
>  |> 
>  |> Signatures, at least in email messages, are just an annoyance as \
>  |> I see them.
>  |> 
>  |> I don't even know how do sign an email message or make use of a signatur\
>  |> e in a message I receive.
>  |> 
>  |> I have never made a commit to a repository, so would not be familiar \
>  |> with signatures there; imagine it would be a barrier.
>  |
>  |Signed commits have no practicl effect on users of a repo.
> 
> Well you can verify integrity of a repository regardless of how it
> was distributed, this is why it is done, right.
> 
>   #?0$ git log --oneline --show-signature -1 v14.9.20.ar
>   16a21755 (...)
>   gpg: Signature made Sun 13 Dec 2020 12:43:44 AM CET
>   gpg:                using RSA key DF082F6AEEC8C2FF
>   gpg: Good signature from "Steffen Nurpmeso <steffen_at_sdaoden.eu>"
>   Bump S-nail v14.9.20.ar ("Sombre Tit (Trauermeise)"), 2020-12-12
> 
>   #?0$ git tag -v v14.9.20.ar; echo $?
>   object 16a21755fd1fade2b15fdb78a592f12169c3453f
>   type commit
>   tag v14.9.20.ar
>   tagger Steffen Nurpmeso <steffen_at_sdaoden.eu> 1607816624 +0100
>   
>   Bump S-nail v14.9.20.ar ("Sombre Tit (Trauermeise)"), 2020-12-12
>   gpg: Signature made Sun 13 Dec 2020 12:43:44 AM CET
>   gpg:                using RSA key DF082F6AEEC8C2FF
>   gpg: Good signature from "Steffen Nurpmeso <steffen_at_sdaoden.eu>"
>   0

TL;DR I don't see any reason for devs to sign commits.

I could see use for RE (or another entity) to occasionally (weekly?)
sign the repo (say COPYRIGHT or UPDATING), and it would be nice for
them to sign all the tags used for releases, but having every dev
would both make the dev's life difficult...

It's also hard to collect ALL the keys of the devs at any point in
time to decide if that key is authorized to sign a commit in the
repo...  Like if a dev starts in 2021, any commits made by that
dev prior to 2021 should not be "valid"..  Then there's also the
issue that people's keys change over time, and now you need to know
what time period each key was valid for, otherwise a compromised key
could be used to insert malicious changes into your/the tree...

Then there's also the point that the repo is (looks like it) using
SHA-1 hashes, which are effectively broken, so depending upon them
to validate the tree is questionable anyways.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
Received on Wed Dec 23 2020 - 01:32:53 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC