On Tue, Jan 26, 2016 at 01:13:16PM -0800, Junio C Hamano wrote: > Jeff King <peff@xxxxxxxx> writes: > > > On Tue, Jan 26, 2016 at 10:29:42AM -0500, Santiago Torres wrote: > > > >> > If you cannot trust those with write access to a repo that you are > >> > pulling and installing from you might want to re-check where you are > >> > pulling or installing from ;) > >> > >> Yeah, I see your point, but mechanisms to ensure the server's origin can > >> be bypassed (e.g., a MITM). I don't think it would hurt to ensure the > >> source pointed to is the source itself. The tag signature can help us do > >> this. > > > > Right. I think the more interesting use case here is "I trust the > > upstream repository owner, but I do not trust their hosting site of > > choice." > > Yup, and push-certificate is there to help with that issue. Yes, I agree, but wouldn't this provide an in-band solution to this very particular scenario. In order to provide the spureous tag, you have to provide the tagname it should be pointing to (or tamper with the tag object). Push certificates can address many other sorts of attacks, but are not in-band in this sense are they? Thanks! -Santiago. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html