On Mon, Aug 10, 2015 at 11:44 PM, Matthias Maier tam...@gentoo.org wrote:
That is, I was under the impression signing a tag only signs the
references themselves, and then relies on SHA1 referential integrity
beyond that.
No, a signed tag verifies that the whole integrirty of the entire
constantly adds any security to the tree. What might add security for
end-users is if git automatically checked the push signatures, which
are the signatures that ensure that branches aren't tampered with
(which is what rebasing you bring up actually does).
It is news to me that a signature
On Tue, Aug 11, 2015 at 10:53 AM, Matthias Maier tam...@gentoo.org wrote:
constantly adds any security to the tree. What might add security for
end-users is if git automatically checked the push signatures, which
are the signatures that ensure that branches aren't tampered with
(which is
Users can fetch/pull from Github.
We could also provide automatic signed tags every 30min/1h/2h/whatever
(signed with a suitable infrastructure key). With that, the integrity of
a tagged git checkout can be easily verified on client side.
Best,
Matthias
signature.asc
Description: PGP
On 10 Aug 2015 16:05, Matthias Maier wrote:
Users can fetch/pull from Github.
We could also provide automatic signed tags every 30min/1h/2h/whatever
(signed with a suitable infrastructure key). With that, the integrity of
a tagged git checkout can be easily verified on client side.
it
On 11 August 2015 at 09:05, Matthias Maier tam...@gentoo.org wrote:
We could also provide automatic signed tags every 30min/1h/2h/whatever
(signed with a suitable infrastructure key). With that, the integrity of
a tagged git checkout can be easily verified on client side.
I'm distinctly under
On 11 August 2015 at 15:06, Mike Frysinger vap...@gentoo.org wrote:
it would have to re-use the same tag name every time otherwise we end up with
17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea
I was very much under the impression git is not designed with repeated
tag
That is, I was under the impression signing a tag only signs the
references themselves, and then relies on SHA1 referential integrity
beyond that.
No, a signed tag verifies that the whole integrirty of the entire
repository, whereas a signed commit only authenticates the differences
introduced
it would have to re-use the same tag name every time otherwise we end up with
17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea
Or we supply a signature of the sha1-sum of the tag in question by some
external procedure...
Best,
Matthias
signature.asc
Description: PGP
On 11 August 2015 at 15:44, Matthias Maier tam...@gentoo.org wrote:
No, a signed tag verifies that the whole integrirty of the entire
repository, whereas a signed commit only authenticates the differences
introduced by a single commit.
git tag -s test
cat ./.git/refs/tags/test
On Mon, Aug 10, 2015, at 22:56 CDT, Kent Fredric kentfred...@gmail.com wrote:
So how is GPG verifying The whole repository ?
You can verify the state of the repository via
$ git fsck
after that you can verify that the current HEAD is tagged with a valid
and singed tag with something like
On 11 Aug 2015 15:23, Kent Fredric wrote:
On 11 August 2015 at 15:06, Mike Frysinger wrote:
it would have to re-use the same tag name every time otherwise we end up
with
17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea
I was very much under the impression git is not
12 matches
Mail list logo