Re: [git patches] libata updates, GPG signed (but see admin notes)
From: Ingo Molnar
Date: Mon Oct 31 2011 - 04:42:36 EST
* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive
> pain in the butt. We need to automate this some sane way, both for
> the sender and for the recipient.
The most practical form would be if Git supported such oneliner pull
requests:
git pull git://foo.com bar.branch \
--pull-sha1 0acf00014bcfd71090c3b0d43c98e970108064e4 \
--gpg-by: "Ingo Molnar <mingo@xxxxxxxxxx>" \
--gpg-sig: 8a6f134afd1d212fe21345
maintainers could just paste them into a shell and it would abort if
it's not trusted. The maintainer verifies the visible, 'Ingo Molnar'
bit. The 8a6f134afd1d212fe21345 is a signed-by-Ingo-Molnar version of
this content:
git://foo.com bar.branch 0acf00014bcfd71090c3b0d43c98e970108064e4
And Git would verify that what ends up being pulled is indeed
0acf00014bcfd and also verifies that it was signed by me.
[ If we are extra diligent/paranoid then beyond the sha1 we might
even GPG sign the shortlog, or even the full raw log of all commits
leading to the sha1: this introduces some Git shortlog and patch
formatting version dependency though.
Git could also double check foo.com's DNS coherency, or check it
against a known-trusted whitelist of domain names specified in the
maintainer's .gitconfig, as an extra layer. ]
Doing it in this form would remove all the mail formatting madness -
one could paste such a pull request into a shell straight away, from
HTML email, from text email, from MIME email, etc.
In fact i would trust such a Git based solution far more than any
opaque, invisible tool that claims to have checked a signature with
cooperation of my mail client (ha!).
The only somewhat non-obvious bit is that Git should be *very*
careful about its key ID and signature parsing strategy, to protect
against social engineering attacks.
For example neither this:
--gpg-by: "Ingo Molnar <mingo@xxxxxxxxxx>"
nor this:
--pgp-by: "Ingo Molnar <mingo@xxxxxxxxxx>"
malicious pull request should slip through in any fashion:
- Git should only use keys that are in your ring of trust - not pull
keys from the public keyring automatically and just check
coherency of the pull request or such. [I'm sure people will be
tempted to have such a feature - but that temptation should be
resisted.]
- Git should abort the moment it sees an unknown option
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/