[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Commits signed by key not registered on Savannah
|
From: |
Mark H Weaver |
|
Subject: |
Re: Commits signed by key not registered on Savannah |
|
Date: |
Sun, 12 Feb 2017 16:55:14 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
David Craven <address@hidden> writes:
> The integrity of our source code is given by peer review - we are
> subscribed to the commits ML so we see other peoples commits.
If we're concerned about security (and we should be), then we should not
rely on the commits mailing list (or any web interface) to show us the
same set of commits that have been pushed to the repo. An attacker
could prevent some of those emails from reaching us, or modify them in
transit to introduce a malicious commit into our repository without it
being noticed.
It's better to "git pull" and read the commits directly out of our local
copy of the git repository.
Mark
- Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/11
- Re: Commits signed by key not registered on Savannah, David Craven, 2017/02/11
- Re: Commits signed by key not registered on Savannah, Ludovic Courtès, 2017/02/11
- Re: Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/11
- Re: Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/11
- Re: Commits signed by key not registered on Savannah, David Craven, 2017/02/11
- Re: Commits signed by key not registered on Savannah, ng0, 2017/02/12
- Re: Commits signed by key not registered on Savannah, David Craven, 2017/02/12
- Re: Commits signed by key not registered on Savannah, Ludovic Courtès, 2017/02/12
- Re: Commits signed by key not registered on Savannah,
Mark H Weaver <=
- Re: Commits signed by key not registered on Savannah, Leo Famulari, 2017/02/12