Re: [O] Why no secure code retrieval

2016-07-04 Thread Konstantin Kliakhandler
Thanks for the clarification and the detailed analysis. Sounds like you did you homework - I have a lot lo learn. Anyway, I would say that we agree on most points, and I'm more than content to leave it at that :-). Best Regards, Kosta -- )°))°((°( Konstantin Kliakhandler Sent on the go. On Jul

Re: [O] Why no secure code retrieval

2016-07-03 Thread Robert Horn
Konstantin Kliakhandler writes: > > Sufficient for what? I believe we were discussing security (that was my > intention at least, and so did your previous email seem to indicate). And > if this is the case, you have just contradicted yourself. I apologize for > pointing it out so directly, and

Re: [O] Why no secure code retrieval

2016-07-03 Thread Konstantin Kliakhandler
Hello, On 3 July 2016 at 23:12, Robert Horn wrote: > > The SHA1's are reference elements used throughout git, and are primarily > for integrity protection against accidents, not against attackers. Hence > it's sufficient that > they be maintained by the git processes. >

Re: [O] Why no secure code retrieval

2016-07-03 Thread Robert Horn
Konstantin Kliakhandler writes: > Hello Robert, > > I am the OP. > > For what it is worth, the current discussion is actually precisely what I > was aiming at. I agree with your analysis of my Intended goals but > completely disagree that SHA1 alone is any sort of guarantee.. To be > precise, I

Re: [O] Why no secure code retrieval

2016-07-03 Thread Achim Gratz
Konstantin Kliakhandler writes: > For what it is worth, the current discussion is actually precisely what I > was aiming at. I agree with your analysis of my Intended goals but > completely disagree that SHA1 alone is any sort of guarantee.. To be > precise, I don't just think that it doesn't

Re: [O] Why no secure code retrieval

2016-07-03 Thread Konstantin Kliakhandler
Hello Robert, I am the OP. For what it is worth, the current discussion is actually precisely what I was aiming at. I agree with your analysis of my Intended goals but completely disagree that SHA1 alone is any sort of guarantee.. To be precise, I don't just think that it doesn't provide much,

Re: [O] Why no secure code retrieval

2016-07-03 Thread Robert Horn
I think that the original question was looking at a different problem, and discussion of hosted tooling may be a distraction. The issues that normally come up for cyber-security discussions of distribution need to be looked at. The following is a start at organizing those for org-mode. I think

Re: [O] Why no secure code retrieval

2016-07-03 Thread Achim Gratz
Bastien Guerry writes: > I encourage you to try gogs, it is very easy to install and maintain, > and its interface is very engaging. The more gogs users and potential > admins out there, the more comfortable I'll feel making the switch. If it requires anything more than dropping in the public

Re: [O] Why no secure code retrieval

2016-07-03 Thread Robert Klein
Hi, I haven't been as active as I'd have liked in this matter... Bastien Guerry wrote: > Hi Ian, > > Ian Barton writes: > > > Not heard of Gogs before, although it looks nice. Another possiblity > > would be gitolite with cgit. Gitolite is very flexible

Re: [O] Why no secure code retrieval

2016-07-03 Thread Bastien Guerry
Hi Ian, Ian Barton writes: > Not heard of Gogs before, although it looks nice. Another possiblity > would be gitolite with cgit. Gitolite is very flexible and as a > consequence can be hard to set up initially. The documentation is very > comprehensive. It supports

Re: [O] Why no secure code retrieval

2016-07-02 Thread Ian Barton
On Sat, Jul 02, 2016 at 04:18:42PM +0200, Bastien Guerry wrote: > Hi Nicolas, > > Nicolas Goaziou writes: > > > GPG signing tags is OK, but I wouldn't like to request every commit to > > be signed. > > Agreed. > > >>> I know that https can be a bit tedious to setup so I am

Re: [O] Why no secure code retrieval

2016-07-02 Thread Bastien Guerry
Hi Nicolas, Nicolas Goaziou writes: > GPG signing tags is OK, but I wouldn't like to request every commit to > be signed. Agreed. >>> I know that https can be a bit tedious to setup so I am not asking for it >>> (though I do think it would be great if it was enabled on

Re: [O] Why no secure code retrieval

2016-06-30 Thread Nicolas Goaziou
Hello, Arun Isaac writes: >> However, gpg signing release tag commits is dead simple and would >> take a total of maybe 10 minutes of work over the lifetime of the project >> (please correct me if I'm wrong). > > I second this statement. GPG signing sounds good to

Re: [O] Why no secure code retrieval

2016-06-29 Thread Arun Isaac
> However, gpg signing release tag commits is dead simple and would > take a total of maybe 10 minutes of work over the lifetime of the project > (please correct me if I'm wrong). I second this statement. GPG signing sounds good to me. We should do this. > I know that https can be a bit tedious

[O] Why no secure code retrieval

2016-06-28 Thread Konstantin Kliakhandler
Hello everyone, I have continually been perplexed by the (apparent) lack of ways to retrieve the code for org-mode in a secure fashion, but always thought that I just haven't tried hard enough. Today it dawned on me that there probably simply is no such way. I know that https can be a bit