Re: Commit signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/16/07, Andy Parkins <andyparkins@xxxxxxxxx> wrote:


What about this set of repositories

 Central - Maintainer - Lieutenant - Subsystem Maintainer - Idiot - Vandal

...

 * Vandal spends one year developing reasonable relationship with Idiot, all
   patches are good.  Occasional big patches are pulled by Idiot.


If you are using signatures, the trojan horse would make sure he gets
his patches signed. What is the advantage again?


 * Vandal prepares extra big series of commits, with ostensibly good
   functionality.  In the middle of large series adds one small commit with
   the committer set to someone other than himself.  In fact, he sets it to be
   someone he doesn't like.


How about
- not pulling without review
- pulling only "own" patches from peripheral developers


Well yes.  I personally wouldn't bother, but I'm casting myself in the role
of "paranoid" maintainer for this discussion.


And if you are so paranoid, then you review, and mandate that all
patches get a lot of reading ;-) because bugs slip in due to idiocy a
whole lot more than because of trojans. Maybe you force patches to be
sent to a mailing list, discussed and merged in only if they survive
the hard-assed review. Like it happens with git or linux.


The answer is: no, you can't put your 100+X commits in my repository because I
don't trust the person who wrote X of them.  It is paranoid, and it is
overkill, but it is also /my/ repository.  It might also be that you are my
employee and you will do as you are damn well told.

I'm arguing that git should cater for the borderline sociopath as well as the
well adjusted developer as well.  After all, PHB's need version control
too :-)


Architecturally, you can't rewrite history just like that -- merge
skipping patches isn't possible. You _can_, however, cancel a merge
because something looks fishy.


In the case above, it is the distributed nature of git that causes the
problem, the original comitter is Idiot, but the repository that the changes
use to get into central is Maintainer's.


IIRC Linus discussed this early on, and his view was that authorship
only gives you false security. The only security is in reviewing code.
And that the code-signed patches are dog-slow too.

cheers,



martin
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]