| Rich Freeman on 1 Jun 2015 12:27:34 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] SourceForge has Malware? |
On Mon, Jun 1, 2015 at 1:39 PM, Thomas Delrue <delrue.thomas@gmail.com> wrote: > > Crypto-signing is 'vouching' for something saying "yes, I as a trusted > dev put my name under this piece of work and guarantee that it is > 'good'. I have looked at what we are releasing and everything that went > into the code since the last release and everything in it is part of the > intended functionality". Having dealt with electronic signatures in regulated environments for many years, in my experience signatures (of any kind) mean exactly what you put in writing and enforce. Simply hitting the sign button in a piece of software doesn't really mean anything at all, and a GPG signature on its own just means that somebody with access to the private key hit the sign button in their software. Of course, that at least is something, but it only really provides some kind of assurance of integrity if you combine it with processes that require signers to do some kind of checking, give the signer some way to actually accomplish that check in a meaningful way, and actually ensure that signers are following the process. In any case, git does have the -S option which gpg-signs a commit. And in true git-options-are-horrible fashion, there is no long version of that. There is also the -s/--signoff option which adds a "Signed-off-by" header to the commit. By itself there is no gpg signature, but if you do add the -S signature then this header is included in the data attached to the signature (as is everything else in the commit record itself). -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug