LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security in the 20-teens

Security in the 20-teens

Posted Feb 2, 2010 23:38 UTC (Tue) by njs (guest, #40338)
In reply to: Security in the 20-teens by joey
Parent article: Security in the 20-teens

Even if GPG were signing the source code itself, rather than a hash of it, it would be unusable for the DVCS case, because the important feature of DVCS chained hashing is that the hash covers *the entire history*. No-one's going to hand GPG the entire history of their project (which easily reaches the terabyte range) on every commit.

(Log in to post comments)

Security in the 20-teens

Posted Feb 7, 2010 1:26 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

You are mistaken. E.g., git doesn't hash the whole repo each time I commit something, what is hashed as a commit is just the contents of a file containing pointers (as SHA-1 hashes) of its parents and any file contents referenced. You can also GPG-sign a tag for added security.

Security in the 20-teens

Posted Feb 7, 2010 3:09 UTC (Sun) by njs (guest, #40338) [Link]

You misread :-). Certainly git doesn't hash the whole repo, it uses the chained hashing trick (the "pointers" you mentioned). This subthread is about what happens if you don't trust hashes -- you certainly can't use the chained hashing trick.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds