[Cryptography-dev] Verifying our History by Signing Commits
Donald Stufft
donald at stufft.io
Fri Aug 9 12:56:27 CEST 2013
On Aug 9, 2013, at 6:42 AM, Laurens Van Houtven <_ at lvh.io> wrote:
> Is this orthogonal to release tagging and signing? I mean, the signed tag also implies a signed DAG up to a point... Code review should fix the horror story, I think.
Yes it's orthogonal. The supposed problem with simply signing the tag is it verifies the DAG yes, but did you verify it? Did you go through each commit and make sure it wasn't maliciously added when the release was tagged?
If Github has a breach we currently have no way to verify each commit in our tree. Really even if one of our computers gets breached. AFAIK nobody bothers to review each commit between the last signed tag and the soon to be tagged release to ensure nothing bad was added without our knowing.
>
> Signing merge commits definitely makes sense to me; signing individual commits is okay, but that's what Fossil does by default, and let me tell you, typing your key in all the time gets boring quick :)
Yes, the obvious problem being if you don't squash the merges then again you're trusting that nothing was slipped into the tree unless you're verifying each commit.
We may or may not care (or may care to some level), but JP brought it up and I thought it was an interesting enough idea to warrant discussion.
>
> cheers
> lvh
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> http://mail.python.org/mailman/listinfo/cryptography-dev
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20130809/ba78c66b/attachment.pgp>
More information about the Cryptography-dev
mailing list