On Sun, 8 Jan 2017 10:40:15 -0500 Mike Gilbert <flop...@gentoo.org> wrote:
> The content of gentoo-news.git should already be covered by the > detached signatures that are required to be present for each file. > What is the benefit to requiring the commits themselves be signed? Oh, I didn't know about those file signatures. But I think signing the commits would make sense nonetheless, as this offers some advantages: * Commit signatures are easy to verify: Everyone who is interested in verifying their /usr/portage image will already have an infrastructure in place to verify commit signatures, because that's how things are done for repo/gentoo.git. * The detached news signatures are nontrivial to verify (in an automated fashion): Just looping over all news files in the repo and verifying their signatures is not an option, because some of the signatures on older news items can't be verified anymore (expired keys, signatures by retired devs, etc.). Hence, one will have to write some code to verify just the new news items introduced after a git pull. * Commit signatures have slightly better security guarantees: If we only verify the detached signatures, attackers can still mess around with the commit graph; in particular, an MITM attacker could silently drop some of the news during a pull. With commit signatures, the only way for the attacker to achieve this is to pretend there aren't any new commits at all (something the user would probably notice after a while). At the same time, I don't see any disadvantages to requiring commit signatures; does anyone else? Regards, Luis Ressel