21/66: icse-2022: Link to "Git Cryptography Protocol".

Wed, 29 Jun 2022 08:33:02 -0700 

civodul pushed a commit to branch master
in repository maintenance.

commit 6b81d8a3bc564d8a74848817596ad1b5ccacf605
Author: Ludovic Courtès <[email protected]>
AuthorDate: Mon Aug 30 16:12:05 2021 +0200

    icse-2022: Link to "Git Cryptography Protocol".
---
 doc/icse-2022/security.sbib    |  7 +++++++
 doc/icse-2022/supply-chain.skb | 13 ++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/icse-2022/security.sbib b/doc/icse-2022/security.sbib
index cef3c99..88e87f1 100644
--- a/doc/icse-2022/security.sbib
+++ b/doc/icse-2022/security.sbib
@@ -204,6 +204,13 @@ Thayer")
   (year "2021")
   (url "https://www.sigstore.dev/";))
 
+(misc huseby2021:git-crypto
+  (author "Dave Huseby et al.")
+  (title "Git Cryptography Protocol")
+  (year "2021")
+  (url "https://github.com/cryptidtech/git-cryptography-protocol";))
+
+
 #|
 (defun skr-from-bibtex ()
   "Vaguely convert the BibTeX snippets after POINT to SBibTeX."
diff --git a/doc/icse-2022/supply-chain.skb b/doc/icse-2022/supply-chain.skb
index 4dec83f..639a008 100644
--- a/doc/icse-2022/supply-chain.skb
+++ b/doc/icse-2022/supply-chain.skb
@@ -743,11 +743,14 @@ broad and extensible specification ,(ref :bib
 'callas2007:rfc4880-openpgp), made it a poor candidate in our eyes.
 More focused options such as minisign ,(ref :bib
 'denis2021:minisign-web) looked more appealing.  However, we felt that
-the fact that OpenPGP commit signing is well-supported by Git makes a
-significant practical difference: developers can easily be set up to
-sign commits with GnuPG and commands such as ,(tt [git log]) can verify
-and display signatures; ways to deal with OpenPGP keys and signatures,
-although complex, are also well-documented.])
+the fact that OpenPGP commit signing is well-supported by Git,(footnote
+[As of this writing, Git tools only support OpenPGP, but work started in
+2021 to support cryptography tools other than OpenPGP/GnuPG ,(ref :bib
+'huseby2021:git-crypto).]) makes a significant practical difference:
+developers can easily be set up to sign commits with GnuPG and commands
+such as ,(tt [git log]) can verify and display signatures; ways to deal
+with OpenPGP keys and signatures, although complex, are also
+well-documented.])
         
         (p [Key distribution is an important issue.  We did not want
 the whole mechanism to lazily fetch public keys from key servers:

Reply via email to