User: Password:
|
|
Subscribe / Log in / New account

Security in the 20-teens

Security in the 20-teens

Posted Feb 2, 2010 23:38 UTC (Tue) by njs (guest, #40338)
In reply to: Security in the 20-teens by joey
Parent article: Security in the 20-teens

Even if GPG were signing the source code itself, rather than a hash of it, it would be unusable for the DVCS case, because the important feature of DVCS chained hashing is that the hash covers *the entire history*. No-one's going to hand GPG the entire history of their project (which easily reaches the terabyte range) on every commit.


(Log in to post comments)

Security in the 20-teens

Posted Feb 7, 2010 1:26 UTC (Sun) by vonbrand (guest, #4458) [Link]

You are mistaken. E.g., git doesn't hash the whole repo each time I commit something, what is hashed as a commit is just the contents of a file containing pointers (as SHA-1 hashes) of its parents and any file contents referenced. You can also GPG-sign a tag for added security.

Security in the 20-teens

Posted Feb 7, 2010 3:09 UTC (Sun) by njs (guest, #40338) [Link]

You misread :-). Certainly git doesn't hash the whole repo, it uses the chained hashing trick (the "pointers" you mentioned). This subthread is about what happens if you don't trust hashes -- you certainly can't use the chained hashing trick.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds