Re: ‘core-updates’ merge is a squashed commit

[Andy Wingo]

On Sat 06 Aug 2016 04:07, Leo Famulari <address@hidden> writes:

> But, I also think the primary point of signing the commits is to record
> the identity of the person responsible for the commit, and so I think
> the policy should be to sign each commit. [0]

To me this is not the value that signing brings; rather, signing
protects against an attack in which a malicious third party updates the
Guix git repository to have a vulnerable commit.

Given that most people run "guix pull" without inspecting the commits,
this is real value: it would be possible to even make "guix pull" only
accept updates whose HEAD is signed by a key in the keyring.  Having the
hook only accept signed HEADs is a good start along that path of course.

> Isn't it better for the identity information to be inherent to the Git
> commits themselves, since those are what is preserved by Git? Git does
> not preserve hooks or policies.

The convention that a signature goes along with responsibility is also a
policy -- any path we take is a convention.

> Also, is there some problem with signing each commit? I don't know why
> we'd want to stop doing this.

I think there's a risk of signing fatigue.  The more signatures you make
with your key, the more likely it is that you sign something that you
didn't mean to.  To me it makes sense to reduce the number of signatures
to the minimum necessary to preserve whatever security properties we are
interested in; but YMMV obviously :)

Andy