On Tue, Aug 11, 2015 at 10:53 AM, Matthias Maier wrote:
>
>> constantly adds any security to the tree. What might add security for
>> end-users is if git automatically checked the push signatures, which
>> are the signatures that ensure that branches aren't tampered with
>> (which is what rebasin
> constantly adds any security to the tree. What might add security for
> end-users is if git automatically checked the push signatures, which
> are the signatures that ensure that branches aren't tampered with
> (which is what rebasing you bring up actually does).
It is news to me that a signat
On Mon, Aug 10, 2015 at 11:44 PM, Matthias Maier wrote:
>> That is, I was under the impression signing a tag only signs the
>> references themselves, and then relies on SHA1 referential integrity
>> beyond that.
>
> No, a signed tag verifies that the whole integrirty of the entire
> repository, wh
On Mon, Aug 10, 2015, at 22:56 CDT, Kent Fredric wrote:
> So how is GPG verifying "The whole repository" ?
You can verify the state of the repository via
$ git fsck
after that you can verify that the current HEAD is tagged with a valid
and singed tag with something like
$ git tag -v `git
On 11 Aug 2015 15:23, Kent Fredric wrote:
> On 11 August 2015 at 15:06, Mike Frysinger wrote:
> > it would have to re-use the same tag name every time otherwise we end up
> > with
> > 17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea
>
> I was very much under the impression git is
On 11 August 2015 at 15:44, Matthias Maier wrote:
>
> No, a signed tag verifies that the whole integrirty of the entire
> repository, whereas a signed commit only authenticates the differences
> introduced by a single commit.
git tag -s test
cat ./.git/refs/tags/test
456d216e3d1894d62429daf0ec4
> it would have to re-use the same tag name every time otherwise we end up with
> 17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea
Or we supply a signature of the sha1-sum of the tag in question by some
external procedure...
Best,
Matthias
signature.asc
Description: PGP signat
> That is, I was under the impression signing a tag only signs the
> references themselves, and then relies on SHA1 referential integrity
> beyond that.
No, a signed tag verifies that the whole integrirty of the entire
repository, whereas a signed commit only authenticates the differences
introduc
On 11 August 2015 at 15:06, Mike Frysinger wrote:
> it would have to re-use the same tag name every time otherwise we end up with
> 17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea
I was very much under the impression git is not designed with repeated
tag replication in considera
On 11 August 2015 at 09:05, Matthias Maier wrote:
> We could also provide automatic signed tags every 30min/1h/2h/whatever
> (signed with a suitable infrastructure key). With that, the integrity of
> a tagged git checkout can be easily verified on client side.
I'm distinctly under the impression
On 10 Aug 2015 16:05, Matthias Maier wrote:
> > Users can fetch/pull from Github.
>
> We could also provide automatic signed tags every 30min/1h/2h/whatever
> (signed with a suitable infrastructure key). With that, the integrity of
> a tagged git checkout can be easily verified on client side.
it
> Users can fetch/pull from Github.
We could also provide automatic signed tags every 30min/1h/2h/whatever
(signed with a suitable infrastructure key). With that, the integrity of
a tagged git checkout can be easily verified on client side.
Best,
Matthias
signature.asc
Description: PGP signatu
12 matches
Mail list logo
