On Sun, Nov 23, 2008 at 09:30:56PM -0800, Junio C Hamano wrote: > Junio C Hamano <gitster@xxxxxxxxx> writes: > > > Deskin Miller <deskinm@xxxxxxxxx> writes: > > > >> It struck me a while back when I fetched a new tagged release from git.git that > >> if I wanted to verify the tag's signature, I'd have to issue another command to > >> do so. Shouldn't git be able to do that for me automatically, when it fetches > >> signed tags? Now it does. Also, 'git remote update' gets this for free. > > > > I think this should be done inside your own hook. Not interested at all > > in a solution to touch builtin-fetch.c, unless if the patch is about > > adding a new hook so that people with other needs can use it as well. > > ... or a much stronger case can be made why this shouldn't be done in a > hook. > > I realize "not interested at all" was a bit too strong, so I am trying to > rephrase it here. The cycle that begins with an RFC that leads to > discussion and review is about clarifying the rationale and design > incrementally, so please do not get offended by my no, and sorry for using > unnecessarily strong wording. > > What I meant was more like "The justification as given in the message does > not interest me in the patch at all as it stands. I do not understand why > this has to be done as a patch to git-fetch itself, not in a hook script, > or why doing it inside git-fetch is a better approach than doing it in a > hook (if there already is a hook mechanism to do this)". Let's try this then: ----- Despite core git's built-in support of cryptographic authentication and integrity verification through the use of signed tags, git still fails to provide a good first line of defense against malicious entities hijacking repositories and disseminating arbitrary code, since git does not try to verify signed tags at the time they are fetched. If such a compromise occurred, the prospect of even one individual who did not verify the newly-fetched tag prior to use gives this a large potential value to attackers, and represents a commensurate risk to the git-using community. This patch series mitigates this risk by trying to verify each signed tag when it is first fetched. Since, however, not everyone is concerned with the security of signed tags, this feature tries to be conservative insofar as signatures with public keys which are missing from the user's keyring do not cause anything to be said about the tag's validity; furthermore, a configuration variable exists to disable these checks entirely, if desired. ----- *the RFC patch series v1 does not include such a configuration variable. I appreciate that such verification could be accomplished by the as-yet-nonexistent post-fetch hook, and if that hook existed, I probably would have done this in that hook. With that said, I do feel like this feature merits consideration for inclusion in the builtin fetch code. First, I very much agree with what Dscho said in his review of patch 1, that hooks represent a rather more advanced feature of git than most users are willing to investigate. So the question, then, is whether this feature is important enough to include in core git. I of course think that it is important enough. Given that we have git-tag installed by default when one builds git, there is a certain commitment to supporting the use of signed tags; and I see verifying them when first fetched as a logical continuation of this support. As such, a hook seems an unsuitable approach to provide support for this new use of signed tags. I'm happy to ask what suggestions you have for someone intending to implement hooks around fetch; I've not looked at the code in this light, but someone's got to do it sooner or later. Deskin Miller -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
