[bug #50809] Require signed Git commits

Sam Kuper Sat, 15 Apr 2017 15:54:19 -0700

URL:
  <http://savannah.gnu.org/bugs/?50809>


                 Summary: Require signed Git commits
                 Project: GNU GRUB
            Submitted by: sampablokuper
            Submitted on: Sat 15 Apr 2017 10:53:59 PM UTC
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Action Request
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 
                 Release: Git master
         Reproducibility: Every Time
         Planned Release: None

    _______________________________________________________

Details:

None of GRUB's Git commits have been signed:

$ git log --pretty="format:%G?" | grep -v 'N$'
$ 

This exposes GRUB to tampering. See:
https://mikegerwitz.com/papers/git-horror-story

GRUB should implement a Git hook to prevent unsigned commits being committed
to the Savannah-hosted master branch or to Savannah-hosted tags.

(By "Savannah-hosted", I mean "hosted at savannah.gnu.org".)




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?50809>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-grub mailing list
Bug-grub@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-grub

[bug #50809] Require signed Git commits

Reply via email to