From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: expired key in junio-gpg-pub
Date: Tue, 7 Sep 2021 16:41:00 -0400 [thread overview]
Message-ID: <20210907204100.ptapvn4wrqn3qrzq@meerkat.local> (raw)
In-Reply-To: <YTfL/eLKOiJdpH1c@coredump.intra.peff.net>
On Tue, Sep 07, 2021 at 04:30:53PM -0400, Jeff King wrote:
> > I am reasonably sure that I've done update with pgp.mit.edu when I
> > refreshed the expiration last time, but apparently I didn't update
> > the in-tree copy. I doubt that it is a good practice to ship the
> > public key used to sign things in the repository in the repository
> > itself, but if are not dropping the tag, I agree I should keep it up
> > to date.
>
> Yeah, I agree that the is potentially problematic: it's a circular
> dependency, plus updating tags is awkward, per Ævar's other message.
It's not really as circular as it would appear at the outset -- at least not
any more circular than any other situation, in reality. E.g. my favourite
example:
1. you should verify the checksum of your distro's ISO before installing it
2. the checksum is available over a trusted https:// connection
3. the trust anchors for that https verification come with the browser package
4. which was installed from the ISO you downloaded the last time
5. goto 1
Bootstrapping trust is a hard problem and no matter how you look at it, at
some point you have to just close your eyes and hope that the adversary isn't
one step ahead of you.
So, I'd say putting the key into the git repository itself is fine. After all,
it gets imported into the local PGP keyring on someone's workstation, where it
gets a separate life of its own.
-K
prev parent reply other threads:[~2021-09-07 20:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-07 18:12 expired key in junio-gpg-pub Jeff King
2021-09-07 18:20 ` Konstantin Ryabitsev
2021-09-07 19:22 ` Jeff King
2021-09-07 19:44 ` Ævar Arnfjörð Bjarmason
2021-09-07 19:49 ` Junio C Hamano
2021-09-07 20:30 ` Jeff King
2021-09-07 20:41 ` Konstantin Ryabitsev [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210907204100.ptapvn4wrqn3qrzq@meerkat.local \
--to=konstantin@linuxfoundation.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).