On Dec 18, 2017, at 8:22 PM, jungle boogie <jungleboog...@gmail.com> wrote: > > I can't remember the repo drh mentioned
TH3, the paid-for test harness for SQLite: https://sqlite.org/th3.html > So if you committed something as drh with an improved overview section > showing gpg keys, would this has prevented confusion? As far as I can tell from my brief scan of the docs on this plus some grepping of the code, it looks like signatures just let you *later* prove that you created the manifest by handing over the public half of the key used to sign it. They aren’t used by “fossil sync” to deny the sync if the signatures don’t match known, trusted public keys. For that to be of any use to what I’m talking about, the remote Fossil instance would need some way to retrieve those public keys during the sync process so that it can decide whether to accept the provided artifacts. If this future Fossil stores that as part of the user record, then this effectively prevents transitive trust. To reuse my earlier post’s example, because Alice does not have a login on Donny’s repo, checkins made by Alice on Bob’s repo and then sync’d to Charlize’s repo won’t be accepted by Donny’s repo because it cannot look up her public key and thereby verify that the checkins signed by Alice are legitimate. If future Fossil gets that from somewhere else, you then have the familiar trust problem that has made PGP-signed email completely fail to catch on widely. That’s why I suggested OAUTH or SQRL, if you only need pseudonymous identity proofs. All of this is far more complicated than where we started out, though, which is why fossil-scm.org accepted checkins from “tangent” in the first place. I’d have thought it would say, “Who the heck is tangent? No. You can’t send me that.” I’d have gotten an error, and I’d have figured out the problem and fixed it before it became part of the public record on fossil-scm.org. Twice. > what happens if the drh has gpg keys setup and wyoung attempts a commit. > Would the commit work and not be signed? I believe it would currently be accepted, but then if anyone goes and *checks* those signatures, the fraudulent ones would be detected. Signature based systems buy you other problems, too, like key revocation, multiple keys per user, etc. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
