This is one of several braindumps I've got, getting what are potentially very important details about the Git stuff out of my head, so that it doesn't matter if I become hit by a bus. Apologies if this mail seems a bit scrambled, per -core, my brain is rather scrambled lately.
TL;DR: ------ I propose: - merges are explicitly allowed, even non-fast-forwards - all commits MUST be signed - if you include a commit from a user: author := non-@gentoo committer := @gentoo signer := $committer Merging: -------- The thread I started about allowing merges, I want to explain a bit of history behind it, because it came about as a result of a change in HOW Git upstream is doing signatures for now. There are two things to record: 1. who really made a commit 2. who pushed the commit to the repo They don't need to be the same person. - Signed commits will prove #1 - Signed pushes will prove #2 Git upstream will ultimately support BOTH forms of signature, but for now, only signed commits are available. Good page covering Git signatures, if you don't want to read the rest of my description below, but this page is much longer, and covers some of the related features and checking in much more detail: http://mikegerwitz.com/docs/git-horror-story.html Git signed pushes: ------------------ We were originally looking for a model of signing the actual push action, and having that recorded in Git. This was important as it allowed the author/committer/pusher to differ, while still being securely recorded (the signature was on the actual push action, as a certification). This is what we had at length discussions with the Git upstream about this: http://git.661346.n2.nabble.com/Signed-push-progress-td6839255.html. Git signed commits: ------------------- Signed pushed were delayed in favour of more immediate work on allowing the direct signature of the contents of a commit. These had the direct advantage of always being included in the Git data directly. They were built to stack cleanly on top of the fact that the existing git repo objects were based on SHA1 hashes of other objects (see http://eagain.net/articles/git-for-computer-scientists/ for the DAG of a commit). Format of the signed Git commit ------------------------------- If you look at the output of: git cat-file commit $commitid You'll see this output like this: === tree ee314a31b622b027c10981acaed7903a3607dbd4 parent 7edca69c39a58b9d08d7145cdfa797ec27049e78 author Robin H. Johnson <robb...@gentoo.org> 1338710866 +0000 committer Robin H. Johnson <robb...@gentoo.org> 1338710866 +0000 commit message goes here. === That's the COMPLETE commit object. It is also EXACTLY what gets signed. If you look the above output (exact same command), for a signed commit: ===== tree 8a6685fdf45e426a0bce32ac18aa21da9aa8a60e parent f203a90b7ee239f8cf4df652d94120798c68f7e5 author Robin H. Johnson <robb...@gentoo.org> 1338710330 +0000 committer Robin H. Johnson <robb...@gentoo.org> 1338710330 +0000 gpgsig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAABAgAGBQJPyxk6AAoJEK5yKHg3xZ9fgJAP/0mEzW0K+GKNPpaDbS+PtI8T QSVNEK0nA5PSf7F/iNjPm3YlUjovndo4LHpd8+0CRAy9HtCWMUpeXRWK7TKimwWJ 4x5jsnMH6ktawsFNvNjGfuLKi+eqJJtv3J0n7KwqsCeGP5FtBZIEhRnJ2BDDQF7L mZvdSHZlqVAkzXyAWgt+7uiZcR9LvT+xuziDVHVhZZqWDWEvPLXVkphwChvqIbA9 u8kQgxawcl5p8WXUzknqUaMOf2L4eXryyTpMoXSbOSxS8Z7OADG6YV/phDD5EjV0 03bOCJzeDfV03rJWlkZa11Kjj1ni47KgROtA6ywdXGZswtgAbLNvg/c2icDJLAm6 TmuhJ0qw2FWsIllnEKfwegYtT5ei/YJhxnlVQ20JuEyhLbMun4t1Y01OOsub5DU1 vilAsItpY+1mXzhC92/16GwqHgjGstAwL5GmGz2lGBSvPc356DtGcRF4TSfs2iMH WkZytJGSYPOu5Nm3a3ws1Ific3Cwhv1sOD0PEP0PboQ4bLmWk0l+Ivw52d6J0GBL +uzhe1rGhEQfkirWNKUPsmnfyJu4DzEjdQOeQsLLjdlc+EytqCr2cBB+AAXq0EXI Rq5Fp5GkPap5H9CFJdDoc6Caq6SRcze8l9w1PZ5OutygkyfU3GzRQ7GiWVXMFm9M PgZnISs7Hcp00n4yeMJR =BR/z -----END PGP SIGNATURE----- . ===== You can trivially remove the gpgsig header (the indented lines are continuations, up until the \n\n). If you want to verify a commit, you can do: # git show --show-signature $commitid Or you can use cat-file, move gpgsig header to a seperate file, removing leading whitespace and the gpgsig bit, and run this yourself: # gpg --verify commit.sig commit.no-gpgsig -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
signature.asc
Description: Digital signature