Re: git and https

To: debian-devel@lists.debian.org
Subject: Re: git and https
From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
Date: Wed, 27 May 2015 12:20:03 +0100
Message-id: <[🔎] 5565A863.4000704@zoho.com>
In-reply-to: <[🔎] 20150527080835.GA20359@grep.be>

Why? Which attack do you envision[...]that would
be thwarted by https but not by signed commits?

I don't; I see https as easier and hence more likely to actually getused in practice.

Telling users to use the existing https:// instead of git:// is a simplechange to the wiki; enabling https on a server that doesn't currentlyhave it is...I don't know exactly, but I'm guessing along the lines of"get a certificate and change a few settings". Using signed commitsrequires every committer to do so.

Also, for casual users (e.g. bug reporters being asked "does that stillhappen in latest git?" [0]), https gets checked automatically, whilesignatures are only checked on user request [1].

(Is there a git option for "check signatures on every pull"?commit.gpgSign appears to be "sign my own commits".)


[0] policy at e.g. http://nouveau.freedesktop.org/wiki/Bugs/
[1]
~$ git clone https://anonscm.debian.org/git/gnuk/gnuk/gnuk.git
Cloning into 'gnuk'...
remote: Counting objects: 10559, done.
remote: Compressing objects: 100% (2969/2969), done.
remote: Total 10559 (delta 7709), reused 10296 (delta 7519)
Receiving objects: 100% (10559/10559), 11.77 MiB | 299.00 KiB/s, done.
Resolving deltas: 100% (7709/7709), done.
Checking connectivity... done.
~$ cd gnuk
~/gnuk$ git checkout release/1.1.4
Note: checking out 'release/1.1.4'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at e7e8b9f... version 1.1.4
~/gnuk$ git tag -v release/1.1.4
object e7e8b9f5ca414a5c901f61b0f043c8da42414103
type commit
tag release/1.1.4
tagger NIIBE Yutaka <gniibe@fsij.org> 1418623147 +0900

version 1.1.4
gpg: Signature made Mon 15 Dec 2014 05:59:07 GMT using RSA key ID 4CA7BABE
gpg: Can't check signature: public key not found
error: could not verify the tag 'release/1.1.4'

~/gnuk$ git tag -v release/1.1.4 --keyring/usr/share/keyrings/debian-keyring.gpg

error: unknown option `keyring'
usage: [...]

Reply to:

Follow-Ups:
- Re: git and https
  - From: Wouter Verhelst <wouter@debian.org>

References:
- Re: git and https
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: Bits from the Stable Release Managers
Next by Date: Re: Bug#786902: O: ifupdown -- high level tools to configure network interfaces
Previous by thread: Re: git and https
Next by thread: Re: git and https
Index(es):
- Date
- Thread