User: Password:
|
|
Subscribe / Log in / New account

Public Git hosting - pull request in signed email

Public Git hosting - pull request in signed email

Posted Oct 28, 2011 20:19 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Public Git hosting by neilbrown
Parent article: KS2011: Kernel.org report

All you really need to sign is the email requesting the 'pull' and ...

Isn't that (verifying that email signature) the part Linus says is too cumbersome?

I haven't personally ever known anyone to verify an email signature, and I'm pretty sure my email reader (Emacs Rmail) can't do it, so I don't know what's involved.


(Log in to post comments)

Public Git hosting - pull request in signed email

Posted Oct 28, 2011 21:16 UTC (Fri) by neilbrown (subscriber, #359) [Link]

If someone can do DNS spoofing, or break in to my server, then Linus can have no guarantee that what he pulled is what I wanted him to pull. Adding the SHA1 of the commit can give him that guarantee.

The mail reader I use (clawsmail) verifies email signatures quite nicely, and will even fetch keys for me. I don't think it warns me when someone changes keys which is something I would like.

Even emacs/vm can check mail signing...

I assumed that the bits that were too cumbersome were the signing and verification built in to git-tag.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds