On Wed, Sep 28, 2011 at 05:28:53PM -0700, Junio C Hamano wrote: > > I suspect that letting GPG do the compression and shipping foo.tar.gpg > would work just fine as well, Good point. If only "tar -xW foo.tar.gpg" automatically verified the gpg signature, that would work really well indeed. :-) > I understand that the automated GPG signature k.org used to use on the > master machine was primarily to protect the copies that the mirrors serve > from getting tampered after they leave the master machine. Do you happen > to know what the new policy will be? Will the developers who distribute > their snapshot tarballs from the site be GPG signing them themselves > before uploading? This is still being negotiated. Given that developers are starting to sign their release tags (and of course Linus has been doing this already), one of the things that I've proposed is that we support is to have the developer do something like this: git archive --format=tar -o e2fsprogs-1.41.12.tar v1.41.12 gzip -9n e2fsprogs-1.41.12.tar gpg --sign --detach -a e2fsprogs-1.41.12.tar.gz and then just uploading the tar.gz.gpg file, the URL for the git tree, and the tag that the server should use do the extraction. > That would improve the situation (I suspect that there > were some people who misunderstood that these GPG signature were to > protect against break-in at the master machine), but at the same time, it > may create the chicken-and-egg bootstrapping problem if public keys of too > many people need to be published securely. We are in the process of bootstrapping a GPG web of trust. Linus has generated a new GPG key which has been signed by Peter Anvin, Dirk, and myself. We'll get a much richer set of cross signatures at the Kernel Summit in Prague in a few months. Also, there's a pretty good intersection between kernel developers and the Debian web of trust; there's been some talk of using that as an auxiliary bootstrap for isolated kernel developers in distant part of the world. - Ted -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html