Leo Famulari <l...@famulari.name> writes: > On Fri, Aug 05, 2016 at 06:50:30PM +0200, Andy Wingo wrote: >> Why would you sign a commit if you don't attest to intermediate unsigned >> commits? > > If I push A-B-C with a signed HEAD immediately after somebody pushes a > forged D, won't it look like I vouch for D?
This can't happen unless D is already in your local repo before you commit locally. If someone pushes D immediately before you try to push A-B-C, your push will be rejected. At that point, you need to pull, rebase on top of D, and try again. You can always see the ancestor commits before signing the new comit. I haven't thought deeply on this, but it seems to me that Andy's suggestion has a lot of merit. We could choose to decide, as a matter of policy, that if you sign a commit with unsigned ancestor commit(s), you are effectively vouching for those ancestor commits. We could modify the commit hook to accept a push as long as the new HEAD commit is signed by an authorized key, disregarding the ancestors. There's one thing that each of us would need to be careful of, though. If we adopt this policy, then before signing a commit, we'd need to first verify that the parent commit has been signed, lest we accidentally vouch for an unsigned commit that we know nothing about. In practice, this could only happen if Savannah is compromised or there's a man-in-the-middle attack, because Savannah is supposed to ensure that pushes with unsigned HEADs are rejected. What do you think? Mark