Re: [PATCH] merge/pull: verify GPG signatures of commits being merged

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jonathan Nieder <jrnieder@xxxxxxxxx> writes:

>> git merge/pull:
>> When --verify-signatures is specified on the command-line of git-merge
>> or git-pull, check whether the commits being merged have good gpg
>> signatures and abort the merge in case they do not. This allows e.g.
>> auto-deployment from untrusted repo hosts.
>
> This leaves me pretty nervous.  Is there an argument to pass in to
> specify a keyring with public keys to trust?  Without that, it is
> presumably using ~/.gnupg/trustdb.gpg, which is about trust of
> identity rather than trust to provide code to run on my machine. :(

I think people who create a real merge via "git pull" and use that
as "auto-deployment" mechanism is insane, but presumably that "auto"
tells us some other things, like it will be done by non-human account,
its $HOME/.gnupg would contain only the keyring that is for the auto
deployer, or the cronscript that runs "git pull" can set GNUPGHOME
and export it before doing so.

So, I wouldn't be worried about it too much.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]