Re: [PATCH 00/18] Signed push

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23.08.2014 00:32, Junio C Hamano wrote:
> Stefan Beller <stefanbeller@xxxxxxxxx> writes:
> 
>> On 22.08.2014 22:33, Junio C Hamano wrote:
>>> Stefan Beller <stefanbeller@xxxxxxxxx> writes:
>>>
>>>> On 22.08.2014 22:03, Junio C Hamano wrote:
>>>>> Stefan Beller <stefanbeller@xxxxxxxxx> writes:
>>>>>
>>>>>> So there would be tags like:
>>>>>> 	master_2014_08_21
>>>>>> 	master_2014_08_22
>>>>>> 	...
>>>>>> 	maint_2014_08_13
>>>>>> 	maint_2014_08_21
>>>>>> and so on. Whenever there is no tag at the tip of the branch, we'd
>>>>>> know there is something wrong.
>>>>>
>>>>> Who creates that tag?
>>>>>
>>>>
>>>>> My guess would be usability as tagging so many branches is cumbersome
>>>> for a maintainer?
>>>
>>> Did you answer my question?  Who creates these tags?
>>>
>>
>> It would be up to the one who pushes, the user, or in our case you!
>> ...
>> As I wrote in the first email, I made up this workaround and wanted to
>> see, what's so bad about that workaround and how to overcome the
>> problems. And all I could find was a burden on the maintainer/user.
> 
> "burden" is not an issue, as I'll be signing the push certificate
> anyway when I push.  A signed tag or a signed commit and signed push
> certificate solves two completely separate and orthogonal issues.
> 
> What happens if you break into GitHub or k.org and did
> 
>     $ git tag maint_2014_08_22 master_2014_08_22

Ok, I personally haven't used tags a lot.
I just tried to
	git tag -s testbreaktag v2.1.0
	git show testbreaktag
	# However it would still read:
tag v2.1.0
Tagger: Junio C Hamano <gitster@xxxxxxxxx>
Date:   Fri Aug 15 15:09:28 2014 -0700

So as I do not posess your private key I could not create signed tags
even if I were to break into github/k.org



> 
> to create an extra tag out of the tag signed by me?  If you want,
> you could also remove the original while at it. 

Considering I'm in the hosting server,
could I delete the push cert as well?
Now that I deleted the push certificate,
I could pretend "Junio just forgot to sign the push cert today"
and we're back at the tag solution?

Ah wait! the subsequent push certs would not match,
I'd need to delete them as well.


> The goal is to let
> us validate without having to trust the hosting site, its management
> and its software, which is what creates the tag there, controls
> where the tag sits in refs/ hierarchy and how it is shown to the
> outside world.
> 

Ok, I got the goal. :)

Thanks for your patience,
Stefan
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]