From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: dwh@linuxprogrammer.org
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
git@vger.kernel.org
Subject: Re: Is the sha256 object format experimental or not?
Date: Thu, 13 May 2021 16:49:57 -0400 [thread overview]
Message-ID: <20210513204957.5g76czb5bk3thlep@meerkat.local> (raw)
In-Reply-To: <20210513202919.GE11882@localhost>
On Thu, May 13, 2021 at 01:29:19PM -0700, dwh@linuxprogrammer.org wrote:
> 3. The key material used for identifying contributors needs to move into
> the repos themselves for many reasons but the most important two
> reasons are (1) the repo comes with all of the data necessary to
> verify all of the digital signatures (i.e. solving the PKI problem
> for a project) and (2) to track the provenance of the public keys and
> other related data that each contributor uses. If Git repos contain
> provenance logs that are controlled and maintained by each
> contributor, those logs can also contain digital signatures over the
> code of conduct and the developer certificate of origin and other
> governing documents for a project that are legally binding (i.e.
> follow eIDAS and other legal digital signature rules). Solving the
> PKI problem alone makes digitally signing commits infinitely more
> useful and will drive adoption. Solving the non-repudiable provenance
> problem is the raison d'être of organizations like the Linux
> Foundation. I think Git should align itself with where technology is
> heading on that front.
Dave:
Check out what we're doing as part of patatt and b4:
https://pypi.org/project/patatt/
It takes your keyring-in-git idea and runs with it -- it would be good to have
your input while the project is still young and widely unknown. :)
-K
next prev parent reply other threads:[~2021-05-13 20:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-08 2:22 Preserving the ability to have both SHA1 and SHA256 signatures dwh
2021-05-08 6:39 ` Christian Couder
2021-05-08 6:56 ` Junio C Hamano
2021-05-08 8:03 ` Felipe Contreras
2021-05-08 10:11 ` Stefan Moch
2021-05-08 11:12 ` Junio C Hamano
2021-05-09 0:19 ` brian m. carlson
2021-05-10 12:22 ` Is the sha256 object format experimental or not? Ævar Arnfjörð Bjarmason
2021-05-10 22:42 ` brian m. carlson
2021-05-13 20:29 ` dwh
2021-05-13 20:49 ` Konstantin Ryabitsev [this message]
2021-05-13 23:47 ` dwh
2021-05-14 13:45 ` Konstantin Ryabitsev
2021-05-14 17:39 ` dwh
2021-05-13 21:03 ` Junio C Hamano
2021-05-13 23:26 ` dwh
2021-05-14 8:49 ` Ævar Arnfjörð Bjarmason
2021-05-14 18:10 ` dwh
2021-05-18 5:32 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210513204957.5g76czb5bk3thlep@meerkat.local \
--to=konstantin@linuxfoundation.org \
--cc=avarab@gmail.com \
--cc=dwh@linuxprogrammer.org \
--cc=git@vger.kernel.org \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).