Comments (29)
Will do, I've notified @zetok and @holgersson32644 to do the same.
from gentoo-overlay-tox.
hasufell, how do you check those signatures btw?
from gentoo-overlay-tox.
urras, what do you actually denote signing a commit?
from gentoo-overlay-tox.
@l29ah Using git log --show-signature
, you can verify the author of the Git commits
from gentoo-overlay-tox.
@urras sure, but different people seem to mean different things when they sign a commit.
from gentoo-overlay-tox.
The issue title says "gpg sign" and the provided link in the first post shows how it's done. I don't see how that can be misunderstood.
from gentoo-overlay-tox.
The link doesn't clarify on what do they mean. It seems like popular interpretations are "signature verifies that the signer is the author of the changeset" and "same + signer trusts all the commits done before his commit".
from gentoo-overlay-tox.
signer trusts all the commits done before his commit
That doesn't make sense for non-merge commits and is not my job. I take responsibility only for my own commits, unless I pull someone elses changes.
from gentoo-overlay-tox.
But Linus and people implementing the user-side validation think different:
http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html
https://aur.archlinux.org/packages/pa/parcimonie-sh-git/PKGBUILD
So it seems the signing policy should be explicitly noted somewhere or so.
from gentoo-overlay-tox.
But Linus and people implementing the user-side validation think different
I don't see any indication of that in Linus posts.
Linux is developed in a hiearchy manner and applies to exactly what I described in my previous post. You take responsibility of other commits ONLY if you MERGE them. And that's the only way to propagate patches up to Linus tree. There is no one who has direct access to Linus tree except Linus.
from gentoo-overlay-tox.
… and his hoster. Just like in your project, but you have more than one valid pusher; that doesn't change the point.
Anyway, what's the correct way to verify your repo contents can be trusted if i trust the (keys of) three of you, according to your model?
from gentoo-overlay-tox.
Three of the devs, I mean.
from gentoo-overlay-tox.
… and his hoster
The hoster cannot push with a valid gpg key.
but you have more than one valid pusher
As a user, you have to trust all of the pushers, obviously. Any pull request goes through at least one of them. So it's enough to check for the signatures of those pushers.
Signed tags are usually used to review the whole state of a repository and mark it's integrity, but they don't make sense for overlays. If you want to automate the signature verification, write a script.
from gentoo-overlay-tox.
So what should the script do?
from gentoo-overlay-tox.
An incomplete example what it could do. Simple shell stuff.
git log --committer="urras" --committer="Zetok Zalbavar" --pretty="format:%h %an %G?" fcd9a208515e6aff8bf23c0d706a98c954e71050..HEAD | grep '.* [NBU]$'
from gentoo-overlay-tox.
I don't see the criteria of validity from your example.
from gentoo-overlay-tox.
I don't see the criteria of validity from your example.
Read the git-log manpage.
from gentoo-overlay-tox.
It doesn't specify how do i assert the validity of the repo.
from gentoo-overlay-tox.
It doesn't specify how do i assert the validity of the repo.
I gave you a working script that prints out all non-trusted commits. I'm not going to explain every piece of it. That's what the manpage is for.
from gentoo-overlay-tox.
So do you mean git log --committer="urras" --committer="Zetok Zalbavar" --pretty="format:%h %an %G?" fcd9a208515e6aff8bf23c0d706a98c954e71050..HEAD | grep -q '.*[NBU]$' && echo untrusted || echo trusted
?
from gentoo-overlay-tox.
A more interesting problem is the following:
If you only trust the repository maintainers and only check their commits for validity, then you would still need to verify that any commit that's not done by those people are part of a merge. (imagine somebody hacked github again and committed straight to the repo... my above script wouldn't be able to catch that case)
There are several ways to fix this problem:
- write a script that does this magic automatically and only verifies branch 'A' of a merge. This requires that there are no fast-forward merges! So it wouldn't only validate commits from the pushers, but any commit, as long as they are normal commits or in case of a merge branch 'A'. But I currently have no implementation for this. Afais this can't be done with a bash oneliner.
- don't do merges at all, use 'git am' instead, so we wouldn't have any comitter except those that have direct push access. Git allows separation of committer and author, so this is no problem. However, in this case we wouldn't have the signature of the author, but only of the committer. This isn't a trust issue, but rather an information issue (you can't verify the identity of the author yourself).
from gentoo-overlay-tox.
So, here is the script that checks all commit signatures in a specific range except those that are part of a merged branch (but the merge commit is checked ofc).
git show -q --pretty="format:%h %an %G?" $(git rev-list --first-parent 0255e9ab84eb12784c054a4fd681333348f5912a..HEAD) | grep '.* [NBU]$'
This means:
- if you do fast-forward merges in this repository, then the merged commits have to be signed by the repository maintainers! So best not doing fast-forward merges at all. Enforce merge commits via
git merge --no-ff
. - pull requests from other people don't necessarily need signed commits, although it's nice to have them signed
- applying pull request manually via
git am
is also fine, since the committer is the one who signs, not the author
Something similar will probably be done via update hooks for the gentoo git tree (if it ever comes).
from gentoo-overlay-tox.
@urras do you have a complete list of people who have push access and their public gpg keys?
We could then add some instructions to the readme how to automatically validate the signatures.
from gentoo-overlay-tox.
@hasufell so it will succeed if the tree is totally fake w/o any signature whatsoever.
By the way, ‰ gpg --recv-key 0x53137C3033F09008
gpg: requesting key 0x53137C3033F09008 from hkps server hkps.pool.sks-keyservers.net
gpgkeys: key 53137C3033F09008 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
from gentoo-overlay-tox.
so it will succeed if the tree is totally fake w/o any signature whatsoever.
no.
from gentoo-overlay-tox.
My PGP key is at https://pgp.mit.edu/pks/lookup?op=get&search=0x9DD9AB20E51227D2
I'm CCing @zetok and @holgersson32644 to get them to add their keys to this issue
from gentoo-overlay-tox.
https://pgp.mit.edu/pks/lookup?op=get&search=0x53137C3033F09008
from gentoo-overlay-tox.
https://pgp.mit.edu/pks/lookup?op=get&search=0xE55E95E8220F34D7
(The key running until 2017.)
from gentoo-overlay-tox.
PGP keys were added to AUTHORS in 61489b5
from gentoo-overlay-tox.
Related Issues (20)
- venom(-av) wrongly requires GCC 4.8.0 HOT 3
- travis with repoman integration HOT 1
- add epatch_user to toxic please HOT 1
- net-im/venom-9999 Fails to compile: too few arguments to function ‘tox_join_groupchat’ HOT 1
- Why does qtox-9999 require opencv to have qt4 use flag disabled? HOT 1
- net-im/qtox is missing dev-qt/linguist-tools dependency HOT 1
- qtox: declare dependance of >=dev-libs/libsodium-0.6.1 HOT 3
- [dev-scheme/libtoxcore-racket] live ebuild should be named libtoxcore-racket-9999.ebuild HOT 2
- Tox/overlay HOT 1
- Missing dependency for qtox
- net-libs/tox-9999 is stuck on an old commit HOT 7
- net-im/toxic won't build, is ignoring USE="-*" HOT 3
- multilib-strict check failed! HOT 4
- Error compiling qTox HOT 5
- Add the gTox client to this overlay HOT 14
- net-libs/tox should use .service provided by toxcore rather than own
- net-im/tox-prpl-9999 with the latest net-libs/tox: src/toxprpl.c:264:57: error: unknown type name ‘TOX_USERSTATUS’ HOT 6
- WHY HOT 5
- utox: xlib/main.c:199:35: error: 'TRUE' undeclared (first use in this function) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gentoo-overlay-tox.