Re: git-tag bug? confusing git fast-export with double tag objects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 16.05.2009, 19:16 Uhr, schrieb Junio C Hamano <gitster@xxxxxxxxx>:



The workflow for a such case would be:

 (0) I notice the signing key was somehow compromised; roll a new key,
re-sign the tags, and send out a "I had to re-tag, and here is a list 
     of the old and new tag object names you can use to verify" message;

 (1) You read such a message,  You do "git for-each-ref refs/tags" to see
     the object names to check with my message, and realize that you have
     stale tags.  So does Joe Dev but he may be slower to react;
(2) You fetch (or ls-remote) from Joe Dev which is your preferrerd mirror 
     of my tree and notice he hasn't updated, and let him know.  In the
     meantime you fetch "git fetch --tags" from me, and verify the result
     against my message.

 (3) Joe Dev would do the same.

That's largely manual, cumbersome, and makes everybody involved painfully
aware of what is going on, which may be an advantage over silently
updating with a new tag without telling anybody.

But you can improve the situation without losing security by doing
something like this.
Let's do things step by step and fix the current issue - and I fear there won't be an easy technical solution, so let's amend to the documentation for the nonce.
OK, what I was trying to do is rewrite history to fix up some b0rked internal addresses. That's a repository for a mostly frozen project, which is more a reference point than a basis for development. I had to recreate the few tag signatures they were, and hence I used "git tag -f" without thinking too much. I had seen the section on re-tagging, and am aware of it, but it somehow didn't apply to my situation. 

I think we ought

(1) to fix the git tag -h output and manual page for consistency, and
(2) to add a note to make users aware that they can also tag tags (the [<object>] in SYNOPSIS may not be hint enough, as Git seems to differ substantially from other SCM systems in this respect - so this is a usability concern that deserves documentation). 

I'll suggest something, but that can take a couple of days.
What else can we tag in Git? Commits and Tags. Is it sensible and does it work to tag blobs or trees? 

--
Matthias Andree
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]