On Sat 06 Aug 2016 04:07, Leo Famulari <l...@famulari.name> writes: > But, I also think the primary point of signing the commits is to record > the identity of the person responsible for the commit, and so I think > the policy should be to sign each commit. [0]
To me this is not the value that signing brings; rather, signing protects against an attack in which a malicious third party updates the Guix git repository to have a vulnerable commit. Given that most people run "guix pull" without inspecting the commits, this is real value: it would be possible to even make "guix pull" only accept updates whose HEAD is signed by a key in the keyring. Having the hook only accept signed HEADs is a good start along that path of course. > Isn't it better for the identity information to be inherent to the Git > commits themselves, since those are what is preserved by Git? Git does > not preserve hooks or policies. The convention that a signature goes along with responsibility is also a policy -- any path we take is a convention. > Also, is there some problem with signing each commit? I don't know why > we'd want to stop doing this. I think there's a risk of signing fatigue. The more signatures you make with your key, the more likely it is that you sign something that you didn't mean to. To me it makes sense to reduce the number of signatures to the minimum necessary to preserve whatever security properties we are interested in; but YMMV obviously :) Andy