From: Junio C Hamano <gitster@pobox.com>
To: Stefan Beller <sbeller@google.com>
Cc: tom@oxix.org, Matthieu Moy <Matthieu.Moy@imag.fr>,
"git\@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: [Request for Documentation] Differentiate signed (commits/tags/pushes)
Date: Mon, 06 Mar 2017 14:13:00 -0800 [thread overview]
Message-ID: <xmqqshmqm4ur.fsf@junio-linux.mtv.corp.google.com> (raw)
In-Reply-To: <CAGZ79kYxD9B_+3vBgO+Z-wh2GMg_REazA-xpTSAqe3_64VMV3w@mail.gmail.com> (Stefan Beller's message of "Mon, 6 Mar 2017 11:59:24 -0800")
Stefan Beller <sbeller@google.com> writes:
> What is the difference between signed commits and tags?
> (Not from a technical perspective, but for the end user)
When you "commit -s", you are signing the bytes in the commit
object, which means that you are attesting the fact that the tree
you wanted to record is one of the 47 other colliding tree objects
that happen to share that 40-hex hash value, and also the fact that
the commits you wanted to record as its parents have certain SHA-1
hash values. As you are relying on the resistance to preimage
attack against SHA-1 at least locally around that signed commit,
there wouldn't be meaningful difference between a 50-commit series
each of which is individually signed with "commit -s", such a
50-commit series, only the top of which is signed with "commit -s",
and the same 50-commit series, on the top of which is signed with
"tag -s".
"tag -s" also has the benefit of being retroactive. You can create
commit, think about it for a week and then later tag it. And ask
others to also tag the same one. You cannot do so with "commit -s".
> A signed push can certify that a given payload (consisting
> of multiple commits on possibly multiple branches) was transmitted
> to a remote, which can be recorded by the remote as e.g. a proof
> of work.
A signed push is _NOT_ about certifying the objects in the history
DAG. It is about certifying the _intent_ of pointing _REFS_ into
points in the object graph. "This is a commit I made to add feature
frotz" is something you might say with "commit -s" and "these
commits behind this point are for upcoming 2.13 release" is
something you might say with "tag -s v2.13-rc0". But "I made it"
and "I made it for this purpose" are different things. I may not
want the "feature frotz" commit included in the maintenance track,
so it would be a mistake for push a history that contains it to
update refs/heads/maint ref. A push certificate can protect hosting
sites like GitHub, when I complain to them saying "you guys are
pointing at a wrong commit with refs/heads/maint", by allowing them
to respond with "well, you made the push to perform that update and
here is what you GPG signed".
> Off list I was told gpg-signed commits are a "checkbox feature",
> i.e. no real world workflow would actually use it. (That's a bold
> statement, someone has to use it as there was enough interest
> to implement it, no?)
I'd agree with that "checkbox" description, except that you need to
remember that a project can enforce _any_ workflow to its developer,
even if it does not make much sense, and at that point, the workflow
would become a real-world workflow. The word "real world workflow"
does not make any assurance if that workflow is sensible.
Historically, "tag -s" came a lot earlier. When a project for
whatever reason wants signature for each and every commit so that
they somehow can feel good, without "commit -s", it would have made
us unnecessary work to scale tag namespace only because there will
be tons of pointless tags. "commit -s" was a remedy for that.
next prev parent reply other threads:[~2017-03-06 22:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-06 19:59 [Request for Documentation] Differentiate signed (commits/tags/pushes) Stefan Beller
2017-03-06 22:13 ` Junio C Hamano [this message]
2017-03-06 22:52 ` Stefan Beller
2017-03-07 0:08 ` Junio C Hamano
2017-03-07 0:58 ` Stefan Beller
2017-03-06 23:03 ` Junio C Hamano
2017-03-06 23:59 ` Jakub Narębski
2017-03-07 0:16 ` Junio C Hamano
2017-03-07 7:16 ` Matthieu Moy
2017-03-07 9:23 ` Jeff King
2017-03-07 9:45 ` Tom Jones
2017-03-07 22:19 ` Stefan Beller
2017-03-08 5:41 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqshmqm4ur.fsf@junio-linux.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=Matthieu.Moy@imag.fr \
--cc=git@vger.kernel.org \
--cc=sbeller@google.com \
--cc=tom@oxix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).