From: "Jason Pyeron" <jpyeron@pdinc.us>
To: "'Junio C Hamano'" <gitster@pobox.com>,
"'Stefan Beller'" <stefanbeller@gmail.com>, <git@vger.kernel.org>
Subject: RE: [PATCH 00/18] Signed push
Date: Mon, 25 Aug 2014 14:38:46 -0400 [thread overview]
Message-ID: <7CB248C93DCA465FB383B6A248C81595@black> (raw)
In-Reply-To: <xmqqha10mp3z.fsf@gitster.dls.corp.google.com>
> -----Original Message-----
> From: Junio C Hamano
> Sent: Monday, August 25, 2014 13:55
>
> Stefan Beller <stefanbeller@gmail.com> writes:
>
> >> "burden" is not an issue, as I'll be signing the push certificate
> >> anyway when I push. A signed tag or a signed commit and
> signed push
> >> certificate solves two completely separate and orthogonal issues.
> >>
> >> What happens if you break into GitHub or k.org and did
> >>
> >> $ git tag maint_2014_08_22 master_2014_08_22
> >
> > Ok, I personally haven't used tags a lot.
> > I just tried to
> > git tag -s testbreaktag v2.1.0
> > git show testbreaktag
> > # However it would still read:
> > tag v2.1.0
> > Tagger: Junio C Hamano <gitster@pobox.com>
> > Date: Fri Aug 15 15:09:28 2014 -0700
> >
> > So as I do not posess your private key I could not create
> signed tags
> > even if I were to break into github/k.org
>
> The point was that after I push to 'maint', you break into the site
> and copy or move that tag as if I pushed to 'master'.
What is needed is not a signed push per se, but rather a need for a set of signed HEADS ...
>
> You could argue that I could create a signed tag 'maint-2014-08-25',
> push it, and if you moved it to tags/master-2014-08-25 as an
> attacker, the refname would not match the "tag " line in the signed
> tag object. While that is true, nobody other thaan fsck checks the
> contents on the "tag " line in practice.
>
> But more importantly.
>
> I may deem a commit a sensible version for the 'master' branch of
> one repository but it would not be sensible for another repository's
> 'master' branch. Imagine a world just like the kernel development
> during 2.6 era used to be, where there was a separate tree 2.4
> maintained with its own 'master' branch. What is appropriate for
> the tip of 'master' to one repository is not good for the other one,
... and these signed HEADS need to be tied to a particular repository instance. AFAIK git does not have any unique identifier per repository instance to leverage. If you were to make a repository instance id you could take that and the branch name as input to a signed hash for verification later. But this leads to deeper issues about new workflow, new configuration storage mechanisms, etc.
> and your timestamped "tag " line may say for which branch the push
> was for but does not say for which repository. The exact problem is
> also shared with the desire to have a "branch" object expressed
> elsewhere; as there is no identity for a "branch" in a distributed
> world, trying to name "branch" as if it is a global entity without
> mentioning what repository will lead to tears.
>
> Besides, these tags/maint-2014-08-25 tags will be interesting only
> for those who are auditing and not for general public, and we do not
> have a good way to "hide" uninteresting refs until those with narrow
> niche interest ask yet, which is something we may want to add soon,
> but I do not want "auditable push" taken hostage to that unrelated
> feature.
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
prev parent reply other threads:[~2014-08-25 18:39 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-19 22:06 [PATCH 00/18] Signed push Junio C Hamano
2014-08-19 22:06 ` [PATCH 01/18] receive-pack: do not overallocate command structure Junio C Hamano
2014-08-19 22:06 ` [PATCH 02/18] receive-pack: parse feature request a bit earlier Junio C Hamano
2014-08-19 22:31 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 03/18] receive-pack: do not reuse old_sha1[] to other things Junio C Hamano
2014-08-19 22:32 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 04/18] receive-pack: factor out queueing of command Junio C Hamano
2014-08-19 22:06 ` [PATCH 05/18] send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher Junio C Hamano
2014-08-19 22:06 ` [PATCH 06/18] send-pack: refactor decision to send update per ref Junio C Hamano
2014-08-19 22:06 ` [PATCH 07/18] send-pack: always send capabilities Junio C Hamano
2014-08-19 22:06 ` [PATCH 08/18] send-pack: factor out capability string generation Junio C Hamano
2014-08-19 22:06 ` [PATCH 09/18] send-pack: rename "new_refs" to "need_pack_data" Junio C Hamano
2014-08-19 22:06 ` [PATCH 10/18] send-pack: refactor inspecting and resetting status and sending commands Junio C Hamano
2014-08-19 22:06 ` [PATCH 11/18] send-pack: clarify that cmds_sent is a boolean Junio C Hamano
2014-08-19 22:06 ` [PATCH 12/18] gpg-interface: move parse_gpg_output() to where it should be Junio C Hamano
2014-08-19 22:06 ` [PATCH 13/18] gpg-interface: move parse_signature() " Junio C Hamano
2014-08-19 22:06 ` [PATCH 14/18] pack-protocol doc: typofix for PKT-LINE Junio C Hamano
2014-08-19 22:06 ` [PATCH 15/18] the beginning of the signed push Junio C Hamano
2014-08-20 2:48 ` brian m. carlson
2014-08-20 6:57 ` Bert Wesarg
2014-08-20 23:41 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 16/18] receive-pack: GPG-validate push certificates Junio C Hamano
2014-08-20 16:56 ` David Turner
2014-08-20 17:29 ` Junio C Hamano
2014-08-20 17:56 ` David Turner
2014-08-20 19:38 ` Junio C Hamano
2014-08-21 23:59 ` David Turner
2014-08-22 0:11 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 17/18] send-pack: send feature request on push-cert packet Junio C Hamano
2014-08-19 22:06 ` [PATCH 18/18] signed push: final protocol update Junio C Hamano
2014-08-21 19:28 ` Shawn Pearce
2014-08-21 23:40 ` Junio C Hamano
2014-08-22 3:06 ` Kyle J. McKay
2014-08-22 17:59 ` Junio C Hamano
2014-08-22 23:54 ` Shawn Pearce
2014-08-25 17:59 ` Junio C Hamano
2014-08-26 17:33 ` Shawn Pearce
2014-08-26 19:38 ` Junio C Hamano
2014-08-26 19:52 ` Junio C Hamano
2014-09-04 23:57 ` Junio C Hamano
2014-09-05 2:41 ` Shawn Pearce
2014-08-22 4:20 ` Junio C Hamano
2014-08-22 0:22 ` David Turner
2014-08-19 23:07 ` [PATCH 00/18] Signed push Duy Nguyen
2014-08-19 23:29 ` Junio C Hamano
2014-08-20 1:19 ` Nico Williams
2014-08-20 2:54 ` Junio C Hamano
2014-08-20 5:57 ` Junio C Hamano
2014-08-20 2:39 ` Junio C Hamano
2014-08-20 6:28 ` Nico Williams
2014-08-22 19:59 ` Stefan Beller
2014-08-22 20:03 ` Junio C Hamano
2014-08-22 20:22 ` Stefan Beller
2014-08-22 20:33 ` Junio C Hamano
2014-08-22 20:38 ` Stefan Beller
2014-08-22 22:32 ` Junio C Hamano
2014-08-22 22:51 ` Stefan Beller
2014-08-25 17:54 ` Junio C Hamano
2014-08-25 18:38 ` Jason Pyeron [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7CB248C93DCA465FB383B6A248C81595@black \
--to=jpyeron@pdinc.us \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=stefanbeller@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).