Rich Freeman on 1 Jun 2015 12:27:34 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SourceForge has Malware?

On Mon, Jun 1, 2015 at 1:39 PM, Thomas Delrue <> wrote:
> Crypto-signing is 'vouching' for something saying "yes, I as a trusted
> dev put my name under this piece of work and guarantee that it is
> 'good'. I have looked at what we are releasing and everything that went
> into the code since the last release and everything in it is part of the
> intended functionality".

Having dealt with electronic signatures in regulated environments for
many years, in my experience signatures (of any kind) mean exactly
what you put in writing and enforce.  Simply hitting the sign button
in a piece of software doesn't really mean anything at all, and a GPG
signature on its own just means that somebody with access to the
private key hit the sign button in their software.  Of course, that at
least is something, but it only really provides some kind of assurance
of integrity if you combine it with processes that require signers to
do some kind of checking, give the signer some way to actually
accomplish that check in a meaningful way, and actually ensure that
signers are following the process.

In any case, git does have the -S option which gpg-signs a commit.
And in true git-options-are-horrible fashion, there is no long version
of that.  There is also the -s/--signoff option which adds a
"Signed-off-by" header to the commit.  By itself there is no gpg
signature, but if you do add the -S signature then this header is
included in the data attached to the signature (as is everything else
in the commit record itself).

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --