User: Password:
Subscribe / Log in / New account

Public Git hosting

Public Git hosting

Posted Oct 25, 2011 20:13 UTC (Tue) by obrakmann (subscriber, #38108)
In reply to: Public Git hosting by corbet
Parent article: KS2011: report

Well, they are setting up this neat GPG web of trust, so why not make use of it? Signing the pull request with said GPG key should be enough to verify the requester's identity, shouldn't it? Sure, at this time, it wouldn't fly yet, but half a year down the road? Or am I missing something?

(Log in to post comments)

Public Git hosting

Posted Oct 25, 2011 21:09 UTC (Tue) by dlang (subscriber, #313) [Link]

Linus commented on this by pointing out that the GPG related validation tools are still to cumbersome to use.

Public Git hosting

Posted Oct 26, 2011 0:46 UTC (Wed) by neilbrown (subscriber, #359) [Link]

GPG signing in git is possibly cumbersome, partly because you can only sign a tag, and I don't think we want to be creating tags for every pull request (though it they don't propagate by default that might be OK).

All you really need to sign is the email requesting the 'pull' and make sure the hash of the commit is in that email and easy for Linus to either use directly or check.

Unfortunately I cannot ask Linus to
git pull git://myhost/path hash-tag-goes-here

because git doesn't want a hash-tag, it wants a refspec.

However if git-pull were changed to accept that, and git-request-pull were changed to output exactly the right 'git pull' command, then Linus could just verify the signature on the email (which I hope is email client is up to!) and use the command that is in it. Then it doesn't matter how secure the hosting provider is - if the pull succeeds, it can be trusted as much as the person who signed the email.

So yes: a little bit cumbersome, but not much.

Public Git hosting - pull request in signed email

Posted Oct 28, 2011 20:19 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

All you really need to sign is the email requesting the 'pull' and ...

Isn't that (verifying that email signature) the part Linus says is too cumbersome?

I haven't personally ever known anyone to verify an email signature, and I'm pretty sure my email reader (Emacs Rmail) can't do it, so I don't know what's involved.

Public Git hosting - pull request in signed email

Posted Oct 28, 2011 21:16 UTC (Fri) by neilbrown (subscriber, #359) [Link]

If someone can do DNS spoofing, or break in to my server, then Linus can have no guarantee that what he pulled is what I wanted him to pull. Adding the SHA1 of the commit can give him that guarantee.

The mail reader I use (clawsmail) verifies email signatures quite nicely, and will even fetch keys for me. I don't think it warns me when someone changes keys which is something I would like.

Even emacs/vm can check mail signing...

I assumed that the bits that were too cumbersome were the signing and verification built in to git-tag.

Public Git hosting

Posted Nov 3, 2011 1:06 UTC (Thu) by slashdot (guest, #22014) [Link]

How so?

As far as I can tell, most mail clients support GPG and will tell you whether an e-mail is signed by a trusted key.

If using a custom mail client, it should be very easy to invoke GPG appropriately to do that check.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds