All of lore.kernel.org
 help / color / mirror / Atom feed
From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org, "Shawn O. Pearce" <spearce@spearce.org>
Subject: Re: [PATCH 2/2] push -s: skeleton
Date: Fri, 09 Sep 2011 10:32:21 -0700	[thread overview]
Message-ID: <7v8vpxvcyi.fsf@alter.siamese.dyndns.org> (raw)
In-Reply-To: <20110909153441.GB28480@sigill.intra.peff.net> (Jeff King's message of "Fri, 9 Sep 2011 11:34:41 -0400")

Jeff King <peff@peff.net> writes:

> On Thu, Sep 08, 2011 at 03:19:54PM -0700, Junio C Hamano wrote:
>
>> My take on it is somewhat different. The only thing in the end result we
>> want to see is that the pushed commits are annotated with GPG signatures
>> in the notes tree, and there is no reason for us to cast in stone that
>> there has to be any significance in the commit history of the notes tree.
>
> Hmm. Is order really irrelevant? If you push a commit to master, moving
> it from X to Y, then push-rewind it back to X, then push a new commit Z,
> how do I cryptographically determine the correct final state of master?

You don't, as the certs are more about "up to this point, the pusher
trusts the history". I should have made it clearer in the cover letter to
the rerolled series, but the push certificate does not record the old
value of the ref in the reroll, because the point of signed-push is not
about signing the information that is equivalent to the server side
reflog.

You would have a signed push record that pushed Y, X and Z, and commit Z
sitting at the tip of 'master'. A few days may pass and then you run

    $ git log --show-notes=refs/notes/push-signature master

to find that the first commit with a push signature by somebody whose
judgement you trust is Z. Then you would need to inspect only commits that
are not ancestors of Z even if you suspect that some commits near the tip
of 'master' at the server side were tampered with.

You may at the same time find commits signed by the trusted people that
are meant for the same branch but are not contained in the history of
'master' (e.g. Y), which might indicate that the branch was rewound,
possibly by an intruder.

Another possible scenario. Later you and the pusher of Z may find that
when the pusher created Z, he merged something questionable and Z may now
have to be in "untrustable" set. You can dig further to find X at that
point.

> OK, I see. It is not "the server can do whatever it likes with the
> information" as much as "the server can do whatever it likes, but at the
> very least should eventually create a notes tree of a given form".

Yes, examples of things the server side might want to additionally do in
pre-receive-signature hook are to read the push certificate to implement
authorization (and it can be per-branch if you wanted to) and to forward
it immediately to offsite storage for safekeeping (the storage does not
have to use git notes to implement it).

  reply	other threads:[~2011-09-09 17:32 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-07 20:56 [PATCH 1/2] send-pack: typofix error message Junio C Hamano
2011-09-07 20:57 ` [PATCH 2/2] push -s: skeleton Junio C Hamano
2011-09-07 21:18   ` Shawn Pearce
2011-09-07 22:21     ` Junio C Hamano
2011-09-07 23:23       ` Shawn Pearce
2011-09-08 16:24         ` Junio C Hamano
2011-09-07 22:21   ` Nguyen Thai Ngoc Duy
2011-09-07 22:40     ` Junio C Hamano
2011-09-07 23:55   ` Robin H. Johnson
2011-09-08 20:03     ` Jeff King
2011-09-09  1:30       ` Robin H. Johnson
2011-09-09 16:03         ` Joey Hess
2011-09-09 16:14           ` Drew Northup
2011-09-09 19:12           ` Jeff King
2011-09-08  4:37   ` [PATCH 3/2] Split GPG interface into its own helper library Junio C Hamano
2011-09-08  4:38   ` [PATCH 4/2] push -s: send signed push certificate Junio C Hamano
2011-09-08  5:38     ` [PATCH 5/2] push -s: receiving end Junio C Hamano
2011-09-08  9:31       ` Johan Herland
2011-09-08 16:43         ` Junio C Hamano
2011-09-08 19:35   ` [PATCH 2/2] push -s: skeleton Jeff King
2011-09-08 20:48     ` Junio C Hamano
2011-09-08 21:02       ` Jeff King
2011-09-08 22:19         ` Junio C Hamano
2011-09-09 15:34           ` Jeff King
2011-09-09 17:32             ` Junio C Hamano [this message]
     [not found]         ` <CAJo=hJsQvRN3Z0xJg9q37Km1g_1qUdJKNQ6n8=a9mv3YjugyVw@mail.gmail.com>
2011-09-09 15:22           ` Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7v8vpxvcyi.fsf@alter.siamese.dyndns.org \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=peff@peff.net \
    --cc=spearce@spearce.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.