Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Public Git hosting
Posted Oct 26, 2011 0:46 UTC (Wed) by neilbrown (subscriber, #359)
All you really need to sign is the email requesting the 'pull' and make sure the hash of the commit is in that email and easy for Linus to either use directly or check.
Unfortunately I cannot ask Linus to
git pull git://myhost/path hash-tag-goes-here
because git doesn't want a hash-tag, it wants a refspec.
However if git-pull were changed to accept that, and git-request-pull were changed to output exactly the right 'git pull' command, then Linus could just verify the signature on the email (which I hope is email client is up to!) and use the command that is in it. Then it doesn't matter how secure the hosting provider is - if the pull succeeds, it can be trusted as much as the person who signed the email.
So yes: a little bit cumbersome, but not much.
Public Git hosting - pull request in signed email
Posted Oct 28, 2011 20:19 UTC (Fri) by giraffedata (subscriber, #1954)
All you really need to sign is the email requesting the 'pull' and ...
Isn't that (verifying that email signature) the part Linus says is too cumbersome?
I haven't personally ever known anyone to verify an email signature, and I'm pretty sure my email reader (Emacs Rmail) can't do it, so I don't know what's involved.
Posted Oct 28, 2011 21:16 UTC (Fri) by neilbrown (subscriber, #359)
The mail reader I use (clawsmail) verifies email signatures quite nicely, and will even fetch keys for me. I don't think it warns me when someone changes keys which is something I would like.
Even emacs/vm can check mail signing...
I assumed that the bits that were too cumbersome were the signing and verification built in to git-tag.
Posted Nov 3, 2011 1:06 UTC (Thu) by slashdot (guest, #22014)
As far as I can tell, most mail clients support GPG and will tell you whether an e-mail is signed by a trusted key.
If using a custom mail client, it should be very easy to invoke GPG appropriately to do that check.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds