From: Linus Torvalds <torvalds@linux-foundation.org>
To: Jakub Narebski <jnareb@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: git-pull and tag objects
Date: Sat, 10 Feb 2007 13:58:59 -0800 (PST) [thread overview]
Message-ID: <Pine.LNX.4.64.0702101347350.8424@woody.linux-foundation.org> (raw)
In-Reply-To: <eqldhe$h7i$1@sea.gmane.org>
On Sat, 10 Feb 2007, Jakub Narebski wrote:
>
> One of the solutions, used in git.git repository, is to put public key
> as a out-of-tree blob using git-hash-object, then tag it using singed tag
> with instruction about how to extract key in the tag message (tag comment).
No. That's horrible. Yes, it's what Junio did, but if you don't trust the
archive, the _last_ thing you should do is to depend on a blob in the
archive itself to contain the thing to make you trust it more.
So you want to get the gpg public key from somewhere else to be able to
_independently_ verify that it's ok.
Otherwise, somebody could just totally replace the object with one of
their own, and then _claim_ that the public key they made is
"junio-gpg-pub", and fool people into thinkign it's signed by Junio.
So to get a valid chain of trust, you really have to have some sideband
channel to get you started. There's a lot of infrastructure for that
elsewhere (ie the whole "sign other peoples keys" thing that is so central
to pgp), but even if you don't have a key to start with, you're actually
better off getting a key (even with no other validation) from an
independent source than have it be in the repository itself. Because at
least then any attacker has to fake _two_ things, rather than just a
single repo.
Of course, in *practice* this is not a problem. And, in fact, thanks to
git's SHA1 setup, you obviously don't have to really verify the key itself
in git, you really only want to verify that yes, the object name is
correct (ie if you get some sideband information from Junio that the
"object 0246401b5d117e01717149c413aa2f8702a83d4f" really is Junio's key,
that's sufficient in itself).
(The "sideband channel" can be something as simple as google. For example,
if you just google for the SHA1 of the tag itself, you'll actually get a
lot of hits for it - a0e7d36193b96f552073558acf5fcc1f10528917 (which is
not the key itself, but it is the tag that points to it, which in turn is
signed with the key) shows up in manyplaces, and that very fact in itself
is "interesting" as a sideband information. It's not "proof", but it's
certainly one piece of information that may make you more comfortable with
that tag not being something recent and fake - it's been around and been
quoted by me in email archives, so if it's faked, it's fooled a number of
people).
Linus
next prev parent reply other threads:[~2007-02-10 21:59 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-08 11:16 git-pull and tag objects Alex Bennee
2007-02-09 9:33 ` Alex Riesen
2007-02-09 23:19 ` Junio C Hamano
2007-02-10 0:14 ` [PATCH] git-fetch: document automatic tag following Junio C Hamano
2007-02-10 14:23 ` git-pull and tag objects Theodore Tso
2007-02-10 17:56 ` Linus Torvalds
2007-02-10 21:32 ` Jakub Narebski
2007-02-10 21:58 ` Linus Torvalds [this message]
2007-02-11 21:55 ` Junio C Hamano
2007-02-12 0:40 ` Jakub Narebski
2007-02-11 0:25 ` Theodore Tso
2007-02-11 3:21 ` Linus Torvalds
2007-02-11 5:52 ` Junio C Hamano
2007-02-11 17:49 ` Linus Torvalds
2007-02-11 19:17 ` Junio C Hamano
2007-02-11 19:21 ` Junio C Hamano
2007-02-11 19:25 ` Linus Torvalds
2007-02-11 21:41 ` Junio C Hamano
2007-02-12 16:27 ` Theodore Tso
2007-02-13 6:17 ` Junio C Hamano
2007-02-14 6:38 ` Linus Torvalds
2007-02-14 7:22 ` Junio C Hamano
2007-02-14 11:18 ` Johannes Schindelin
2007-02-14 16:35 ` Linus Torvalds
2007-02-15 1:21 ` Jakub Narebski
2007-02-15 1:34 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0702101347350.8424@woody.linux-foundation.org \
--to=torvalds@linux-foundation.org \
--cc=git@vger.kernel.org \
--cc=jnareb@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.