From: "Gamblin, Todd" <gamblin2@llnl.gov>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: Junio C Hamano <gitster@pobox.com>,
Philip Oakley <philipoakley@iee.email>,
"git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Commit SHA1 == SHA1 checksum?
Date: Tue, 8 Feb 2022 06:23:43 +0000 [thread overview]
Message-ID: <BE3E3354-F2F4-47D7-8DA7-27ABCD3A5E90@llnl.gov> (raw)
In-Reply-To: <20220207224654.aju3rmxcrhapi4d2@meerkat.local>
> On Feb 7, 2022, at 2:46 PM, Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
>
> On Mon, Feb 07, 2022 at 10:29:37PM +0000, Gamblin, Todd wrote:
>>> 2. packagers would be able to perform cryptographic verification without
>>> needing to track any extra sources like corresponding .sig files; they
>>> would just need to add a build-time dependency on git (plus whatever it
>>> calls for cryptographic verification, such as gnupg or openssh)
>>
>> This is a cool idea, but tar/gzip/etc. are vulnerable to input attacks (or
>> at least there have been CVEs in the past), so this does not eliminate the
>> need to verify a downloaded .tar or .tar.gz file independently. You can
>> verify the contents of the tar, but to do that you have to expand it, and to
>> do that you’re still passing untrusted input to tar.
>
> That's not really different from what git does when it clones a remote
> repository to run "git verify-tag". It still accepts untrusted input from the
> remote server, performs a lot of compression/decompression operations, etc, so
> this is not introducing anything that git isn't already required to do.
>
> I know there's a lot to be said about the simplicity of just computing a
> signature over file bytes, but there are features you end up sacrificing, such
> as ability to provide a single signature for multiple compression types,
> adding a better compression algorithm in the future, or simply recompressing
> with better flags in a long background process.
>
> My goal is to improve the current situation where we're actually doing pretty
> good for signed in-git objects, but none of that is carried over to packaging
> systems. The only effort I know in that area is sigstore, but it requires
> quite a bit of work to properly use on the part of the project maintainer,
> whereas it would be great to be able to say "just do git tag -s and the
> packaging systems will be able to use that.”
I agree this would be really nice. If the tarball (or whatever) created could also be signed, so that it could be trusted regardless of the particular server you fetch it from, it might work as a nice packaging format. Maybe you could have a signed header with the hash of the tarball that’s produced? You wouldn’t really need a signed tag in that case.
Our use for this would be to host these signed git archives (.gar files?) on mirrors — which we may or may not trust. If I can get around the hostile tarball issue I’d be super excited about the idea.
-Todd
next prev parent reply other threads:[~2022-02-08 6:24 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-05 1:19 Commit SHA1 == SHA1 checksum? Gamblin, Todd
2022-02-06 0:22 ` Philip Oakley
2022-02-06 9:00 ` Gamblin, Todd
2022-02-06 10:23 ` Johannes Sixt
2022-02-06 10:15 ` Junio C Hamano
2022-02-06 19:25 ` Philip Oakley
2022-02-06 20:02 ` Junio C Hamano
2022-02-06 21:33 ` Philip Oakley
2022-02-07 8:15 ` Gamblin, Todd
2022-02-07 13:15 ` Konstantin Ryabitsev
2022-02-07 21:08 ` Gamblin, Todd
2022-02-07 13:32 ` Konstantin Ryabitsev
2022-02-07 20:57 ` Junio C Hamano
2022-02-07 21:34 ` Konstantin Ryabitsev
2022-02-07 22:29 ` Gamblin, Todd
2022-02-07 22:46 ` Konstantin Ryabitsev
2022-02-08 6:23 ` Gamblin, Todd [this message]
2022-02-07 22:49 ` Junio C Hamano
2022-02-07 23:02 ` Konstantin Ryabitsev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BE3E3354-F2F4-47D7-8DA7-27ABCD3A5E90@llnl.gov \
--to=gamblin2@llnl.gov \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=konstantin@linuxfoundation.org \
--cc=philipoakley@iee.email \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).