please gpg sign tags (and commits?) #152
Comments
|
Isn't comparing the hash enough? |
|
what hash to compare with what? And how to trust the "what"? |
|
And how would you trust/verify my signature, and those of all the contributors? Crypto is nice but breaks very fast in the real world under non-perfect assumptions. I would trust github to not forge the hashes more than random guy from the internet sending you his key, if I were going for security. I can happily sign the commits as it is no burden at all, but I find it pretty pointless, so I never bothered to set it up. Plus, unless all the contributors do so it's useless anyhow, so let's wait for the rest to say something. |
|
I can trust your signature if your key is signed by people that are strongly connected to the web of trust. I've never met Richard Stallman, but there are 8 different trust paths from my key to his key: I also don't need to trust all contributors. I believe that somebody who tags the release should be responsible to know the contributors and have reviewed patches or have other people who review those patches. Linus Torvalds does not review all patches to the linux kernel himself but he has people he trusts. |
|
Even a signature by an untrusted key is better than nothing. Unsigned code is open to any MITM attacker. If the repo has signed commits/tags, I can choose to trust on first use, after which pulling new code signed with the same key would be secure against a MITM attack. It is not necessary that all commits are signed or that all keys are trusted. One could simply use the latest commit signed by a trusted key and then review any later untrusted changes as necessary before use. |
basil-conto
added
admin
|
Please let me know if I did something incorrectly for the 2.18.0 release. |
Hi,
could you please sign your git tags? Thus people can verify that they got the code you wrote and not some man-in-the-middle attack.
man git-tag
Thx!
The text was updated successfully, but these errors were encountered: