John Keeping wrote:
On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote:
But while we're on the subject, are there PGP signatures available for
the cgit tarballs themselves? I know the git tags are signed, but I
don't think I've seen detached signatures for the tarballs. In this
case, how does a user become "happy that the CGit distribution they
have is trustworthy"? The cgit tarball download isn't available via
https either, which might be a reasonable answer in the absence of a
detached git signature.
Without a signature on the tarball or some other method to verify the
cgit tarball, the sha256 of the git tarball included in the cgit
Makefile is more or less only useful as a basic download integrity
check (in which case sha256 is mild overkill).
None of this is to say that this patch isn't a step in the right
direction. It certainly helps to display a nicer error message if a
user receives a corrupted git tarball. It's just important that users
don't confuse this with providing any real authentication of the git
tarball.
I'm not sure this is true. Providing that the CGit tarball is trusted,
then I think this does provide sufficient authentication of the Git
tarball. If the CGit tarball isn't trusted, then all bets are off
anyway.
Agreed. The caveat is that I'm not sure there is a convenient method
for end-users or packagers to verify the authenticity of a cgit
tarball.
Those on the list can check the PGP signature on the announcement mail
and then use the included SHA1 to check the tarball, but doing that as
a non-list member isn't as easy due to many list archives stripping or
mangling PGP signatures. I tried doing this with the 0.11
announcement from the Mailman and Gmane archives now and wasn't
successful.
Posting a detached PGP signature for the tarball would improve the
ability for users to trust and verify the cgit tarball. It's not a
blocker for your patch, but it would make it significantly more
useful, so I thought I would broach the subject. ;)
Thank you for all of your work on cgit. It's very nice to see it
continue to improve, with even the smallest details getting attention.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now don't say you can't swear off drinking; it's easy. I've done it a
thousand times.
-- W.C. Fields
_______________________________________________
CGit mailing list
[email protected]
http://lists.zx2c4.com/mailman/listinfo/cgit
