From: Linus Torvalds <torvalds@osdl.org>
To: A Large Angry SCM <gitzilla@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Daniel Barkalow <barkalow@iabervon.org>,
Junio C Hamano <junkio@cox.net>,
ftpadmin@kernel.org
Subject: Re: Tags
Date: Sat, 2 Jul 2005 17:17:43 -0700 (PDT) [thread overview]
Message-ID: <Pine.LNX.4.58.0507021656250.8247@g5.osdl.org> (raw)
In-Reply-To: <42C727FC.3030900@gmail.com>
On Sat, 2 Jul 2005, A Large Angry SCM wrote:
>
> Linus Torvalds wrote:
> >
> > None of git itself normally has any "trust". The SHA1 means that the
> > _integrity_ of the archive is ensured, but for some things (notably
> > releases), you want to have something else. That's the "tag object".
> >
>
> But can't the commit object do this just as well by signing the commit text?
Yes and no.
Technically yes, absolutely, you could add a signature to the commit text.
However, that's just wrong for several reasons:
First off, the signing is not necessarily done by the person committing
something. Think of any paperwork: the person that signs the paperwork is
not necessarily the same person that _wrote_ the paperwork. A signature is
a "witness".
For an example of this, look at the signatures that we've had for a long
time on kernel.org: check out the files like "patch-2.6.8.1.sign". That's
a signature, but it's not a signature by _me_. It's kernel.org signing the
thing so that downstream people can verify things.
And it would be not only wrong, but literally _impossible_ for me to do it
in the commit. I don't have (or want to have) the kernel.org private key.
That's not what the signature is about. kernel.org is signing that "this
is what I got, and what I passed on". It's not signing that "this is what
I wrote".
In a lot of systems, you tag something good after it has passed a
regression test. Ie the _tag_ may happen days or even weeks after the
commit has been done.
So any system that signs commits directly is doing something _wrong_.
Secondly, you can say that you trust other things. In git, you can tag
individual blobs, and you can tag individual trees. For an example of
where it makes sense to tag (sign) individual file versions, we've
actually had things like ISDN drivers (or firmware) that passed some telco
verification suite, and in certain countries it used to be that you
weren't legally supposed to use hadrware that hadn't passed that suite. In
cases like that, you could sign the particular version of the driver, and
say "this one is good".
(Yeah, those laws are happily going away, but I think the ISDN people in
germany actually ended up doing exactly that, except they obviously didn't
use git signatures. I think they had a list of file+md5sum).
Finally, it's a tools issue. It's wrong to mix up the notion of committing
and signing in the same thing, because that just complicates a tool that
has to be able to do both. Now you can have a nice graphical commit tool,
and it doesn't need to know about public keys etc to be useful - you can
use another tool to do the signing.
Small is beautiful, but "independent" is even more so.
> Your tendency is to use tag objects as a permanent, public label of some
> state. Signing the commit text or the email stating that commit
> ${COMMIT_SHA} would work just as well for verification purposes.
Well, according to that logic, you'd never need signatures at all - you
can always keep them totally outside the system.
But if they are totally outside the system, then you have to have some
other mechanism to track them, and you can never trust a git archive on
its own. My goal with the tag objects was that you can just get my git
archive, and the archive is _inherently_ trustworthy, because if you care,
you can verify it without any external input at all (except you need to
know my public key, of course, but that's not a tools issue any more,
that's about how signatures work).
So by having tag objects, I can just have refs to them, and anything that
can fetch a ref (which implies _any_ kind of "pull" functionality) can get
it. No special cases. No crap.
Do one thing, and do it well. Git does objects with relationships. That's
really what git is all about, and the "tag object" fits very well into
that mentality.
Linus
next prev parent reply other threads:[~2005-07-03 0:18 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-30 17:54 "git-send-pack" Linus Torvalds
2005-06-30 18:24 ` "git-send-pack" A Large Angry SCM
2005-06-30 18:27 ` "git-send-pack" A Large Angry SCM
2005-06-30 19:04 ` "git-send-pack" Linus Torvalds
2005-06-30 18:45 ` "git-send-pack" Jan Harkes
2005-06-30 19:01 ` "git-send-pack" Mike Taht
2005-06-30 19:42 ` "git-send-pack" Linus Torvalds
2005-07-01 9:50 ` "git-send-pack" Matthias Urlichs
2005-06-30 19:44 ` "git-send-pack" Linus Torvalds
2005-06-30 20:38 ` "git-send-pack" Junio C Hamano
2005-06-30 21:05 ` "git-send-pack" Daniel Barkalow
2005-06-30 21:29 ` "git-send-pack" Linus Torvalds
2005-06-30 21:55 ` "git-send-pack" H. Peter Anvin
2005-06-30 22:26 ` "git-send-pack" Linus Torvalds
2005-06-30 23:40 ` "git-send-pack" H. Peter Anvin
2005-07-01 0:02 ` "git-send-pack" Linus Torvalds
2005-07-01 1:24 ` "git-send-pack" H. Peter Anvin
2005-07-01 23:44 ` "git-send-pack" Mike Taht
2005-07-02 0:07 ` "git-send-pack" H. Peter Anvin
2005-07-02 1:56 ` "git-send-pack" Linus Torvalds
2005-07-02 4:08 ` "git-send-pack" H. Peter Anvin
2005-07-02 4:22 ` "git-send-pack" Linus Torvalds
2005-07-02 4:29 ` "git-send-pack" H. Peter Anvin
2005-07-02 17:16 ` "git-send-pack" Linus Torvalds
2005-07-02 17:37 ` "git-send-pack" H. Peter Anvin
2005-07-02 17:44 ` "git-send-pack" Tony Luck
2005-07-02 17:48 ` "git-send-pack" H. Peter Anvin
2005-07-02 18:12 ` "git-send-pack" A Large Angry SCM
2005-06-30 22:25 ` "git-send-pack" Daniel Barkalow
2005-06-30 23:56 ` "git-send-pack" Linus Torvalds
2005-07-01 5:01 ` "git-send-pack" Daniel Barkalow
2005-06-30 21:08 ` "git-send-pack" Linus Torvalds
2005-06-30 21:10 ` "git-send-pack" Dan Holmsand
2005-06-30 19:49 ` "git-send-pack" Daniel Barkalow
2005-06-30 20:12 ` "git-send-pack" Linus Torvalds
2005-06-30 20:23 ` "git-send-pack" H. Peter Anvin
2005-06-30 20:52 ` "git-send-pack" Linus Torvalds
2005-06-30 21:23 ` "git-send-pack" H. Peter Anvin
2005-06-30 21:26 ` "git-send-pack" H. Peter Anvin
2005-06-30 21:42 ` "git-send-pack" Linus Torvalds
2005-06-30 22:00 ` "git-send-pack" H. Peter Anvin
2005-07-01 10:31 ` "git-send-pack" Matthias Urlichs
2005-07-01 14:43 ` "git-send-pack" Jan Harkes
2005-07-01 13:56 ` Tags Eric W. Biederman
2005-07-01 16:37 ` Tags H. Peter Anvin
2005-07-01 22:38 ` Tags Eric W. Biederman
2005-07-01 22:44 ` Tags H. Peter Anvin
2005-07-01 23:07 ` Tags Eric W. Biederman
2005-07-01 23:22 ` Tags Daniel Barkalow
2005-07-02 0:06 ` Tags H. Peter Anvin
2005-07-02 7:00 ` Tags Eric W. Biederman
2005-07-02 17:47 ` Tags H. Peter Anvin
2005-07-02 17:54 ` Tags Eric W. Biederman
2005-07-02 17:58 ` Tags H. Peter Anvin
2005-07-02 18:31 ` Tags Eric W. Biederman
2005-07-02 19:55 ` Tags Matthias Urlichs
2005-07-02 21:16 ` Tags H. Peter Anvin
2005-07-02 21:39 ` Tags Linus Torvalds
2005-07-02 21:42 ` Tags H. Peter Anvin
2005-07-02 22:02 ` Tags A Large Angry SCM
2005-07-02 22:20 ` Tags Linus Torvalds
2005-07-02 23:49 ` Tags A Large Angry SCM
2005-07-03 0:17 ` Linus Torvalds [this message]
2005-07-02 22:14 ` Tags Petr Baudis
2005-07-02 22:17 ` Tags Linus Torvalds
2005-07-03 0:04 ` Tags Dan Holmsand
2005-07-03 22:34 ` Tags Kevin Smith
2005-07-05 13:04 ` Tags Eric W. Biederman
2005-07-05 16:21 ` Tags Daniel Barkalow
2005-07-05 17:51 ` Tags Eric W. Biederman
2005-07-05 18:33 ` Tags Linus Torvalds
2005-07-05 19:22 ` Tags Junio C Hamano
2005-07-06 18:04 ` Tags Matthias Urlichs
2005-07-07 3:31 ` Tags Eric W. Biederman
2005-07-02 18:45 ` Tags Linus Torvalds
2005-07-02 20:38 ` Tags Jan Harkes
2005-07-02 22:32 ` Tags Jan Harkes
2005-07-02 16:00 ` Tags Matthias Urlichs
2005-07-01 18:09 ` Tags Petr Baudis
2005-07-01 18:37 ` Tags H. Peter Anvin
2005-07-01 21:20 ` Tags Matthias Urlichs
2005-07-01 21:42 ` Tags Petr Baudis
2005-07-01 21:52 ` Tags H. Peter Anvin
2005-07-01 22:27 ` Tags Daniel Barkalow
2005-07-01 22:59 ` Tags Petr Baudis
2005-06-30 20:49 ` "git-send-pack" Daniel Barkalow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.58.0507021656250.8247@g5.osdl.org \
--to=torvalds@osdl.org \
--cc=barkalow@iabervon.org \
--cc=ebiederm@xmission.com \
--cc=ftpadmin@kernel.org \
--cc=git@vger.kernel.org \
--cc=gitzilla@gmail.com \
--cc=hpa@zytor.com \
--cc=junkio@cox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).