Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Any way to make code running on a cloud service publicly verifiable?

Curt Sampson writes:
 > On 2012-09-15 23:49 +0900 (Sat), Stephen J. Turnbull wrote:
 > > But what do you propose signing in the case of a direct checkout of
 > > rev deadbeefcafefeedbeadbabefacebadedeedaced from a public git
 > > repository?  The rev id, I guess?
 > The revision itself. The ability to do that is built in to git with "git
 > tag --sign".

All that does is sign the commit object, which contains a tree id and
metadata.  For our purpose, there's no difference: it still depends on
the chain of SHA1s.  Linus never claimed this provides good security,
just that it's better than no signature.

The monotone people do, but I don't know whether git's signing
protocol is as secure as monotone's.

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links