All of lore.kernel.org
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Jakub Narebski <jnareb@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: git-pull and tag objects
Date: Sat, 10 Feb 2007 13:58:59 -0800 (PST)	[thread overview]
Message-ID: <Pine.LNX.4.64.0702101347350.8424@woody.linux-foundation.org> (raw)
In-Reply-To: <eqldhe$h7i$1@sea.gmane.org>



On Sat, 10 Feb 2007, Jakub Narebski wrote:
> 
> One of the solutions, used in git.git repository, is to put public key
> as a out-of-tree blob using git-hash-object, then tag it using singed tag
> with instruction about how to extract key in the tag message (tag comment).

No. That's horrible. Yes, it's what Junio did, but if you don't trust the 
archive, the _last_ thing you should do is to depend on a blob in the 
archive itself to contain the thing to make you trust it more.

So you want to get the gpg public key from somewhere else to be able to 
_independently_ verify that it's ok.

Otherwise, somebody could just totally replace the object with one of 
their own, and then _claim_ that the public key they made is 
"junio-gpg-pub", and fool people into thinkign it's signed by Junio.

So to get a valid chain of trust, you really have to have some sideband 
channel to get you started. There's a lot of infrastructure for that 
elsewhere (ie the whole "sign other peoples keys" thing that is so central 
to pgp), but even if you don't have a key to start with, you're actually 
better off getting a key (even with no other validation) from an 
independent source than have it be in the repository itself. Because at 
least then any attacker has to fake _two_ things, rather than just a 
single repo.

Of course, in *practice* this is not a problem. And, in fact, thanks to 
git's SHA1 setup, you obviously don't have to really verify the key itself 
in git, you really only want to verify that yes, the object name is 
correct (ie if you get some sideband information from Junio that the 
"object 0246401b5d117e01717149c413aa2f8702a83d4f" really is Junio's key, 
that's sufficient in itself).

(The "sideband channel" can be something as simple as google. For example, 
if you just google for the SHA1 of the tag itself, you'll actually get a 
lot of hits for it - a0e7d36193b96f552073558acf5fcc1f10528917 (which is 
not the key itself, but it is the tag that points to it, which in turn is 
signed with the key) shows up in manyplaces, and that very fact in itself 
is "interesting" as a sideband information. It's not "proof", but it's 
certainly one piece of information that may make you more comfortable with 
that tag not being something recent and fake - it's been around and been 
quoted by me in email archives, so if it's faked, it's fooled a number of 
people).

		Linus

  reply	other threads:[~2007-02-10 21:59 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-08 11:16 git-pull and tag objects Alex Bennee
2007-02-09  9:33 ` Alex Riesen
2007-02-09 23:19   ` Junio C Hamano
2007-02-10  0:14     ` [PATCH] git-fetch: document automatic tag following Junio C Hamano
2007-02-10 14:23     ` git-pull and tag objects Theodore Tso
2007-02-10 17:56       ` Linus Torvalds
2007-02-10 21:32         ` Jakub Narebski
2007-02-10 21:58           ` Linus Torvalds [this message]
2007-02-11 21:55             ` Junio C Hamano
2007-02-12  0:40               ` Jakub Narebski
2007-02-11  0:25         ` Theodore Tso
2007-02-11  3:21           ` Linus Torvalds
2007-02-11  5:52         ` Junio C Hamano
2007-02-11 17:49           ` Linus Torvalds
2007-02-11 19:17             ` Junio C Hamano
2007-02-11 19:21               ` Junio C Hamano
2007-02-11 19:25               ` Linus Torvalds
2007-02-11 21:41                 ` Junio C Hamano
2007-02-12 16:27           ` Theodore Tso
2007-02-13  6:17             ` Junio C Hamano
2007-02-14  6:38               ` Linus Torvalds
2007-02-14  7:22                 ` Junio C Hamano
2007-02-14 11:18                   ` Johannes Schindelin
2007-02-14 16:35                     ` Linus Torvalds
2007-02-15  1:21                 ` Jakub Narebski
2007-02-15  1:34                   ` Johannes Schindelin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.64.0702101347350.8424@woody.linux-foundation.org \
    --to=torvalds@linux-foundation.org \
    --cc=git@vger.kernel.org \
    --cc=jnareb@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.