Re: [git patches] libata updates, GPG signed (but see admin notes)
From: James Bottomley
Date: Mon Oct 31 2011 - 04:19:21 EST
On Sun, 2011-10-30 at 10:12 -0700, Linus Torvalds wrote:
> On Sun, Oct 30, 2011 at 3:05 AM, James Bottomley
> <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > You can fix this by using mime and detached signatures as well but I
> > wouldn't worry too much about it. What emerged at KS is that Linus uses
> > gmail and gmail has no integration with pgp, thus pgp signing of pull
> > requests is superfluous since Linus won't add the steps of saving the
> > message to a text file and manually running pgp over it to verify
> > because of the huge elongation in workflow this causes especially during
> > a merge window.
>
> Actually, I have been running "gpg --verify" on the email that use the
> standard PGP encapsulation (ie the kind that Jeff used, that has
> "-----BEGIN PGP SIGNED MESSAGE-----" in it.
>
> It's the rfc3516-type email (aka protocol="application/pgp-encrypted")
> type that I can't even verify, because that's not something that gpg
> knows inherently how to check: you have to decode the message the
> right way and know what the rules are, and I have no intention of
> trying to figure it out. I have yet to find any usable tool that is
> able to check it, and I'm certainly not going to waste time trying to
> parse the rfc and write my own.
OK, so I get clearly no partial PGP messages and no using rfc3516
formatted pgp mail.
> That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive
> pain in the butt. We need to automate this some sane way, both for the
> sender and for the recipient.
But this doesn't help with what practise you want us to follow. Do you
want us to send full signed email using pgp encapsulation for pull
requests in spite of the mangling it does to attached patches and the
amount of extra pain it causes you? Or is relying on looking at the
received headers and always using public email lists to detect spoofing
by revocation OK until we find a mechanism for integrating pgp into git?
James
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/