Rostislav Svoboda <[email protected]> writes:
Le jeu. 18 déc. 2025 à 03:00, Tomas Volf <[email protected]> a écrit
:
[the authentication] protects against compromised forge.
Git was initially released in 2005; GPG-signed commits were
added
later in Git 1.7.9 (2012) [1].
Git's original security model already provides compromised forge
detection:
- objects are content-addressed (SHA-1, now SHA-256),
- history forms a Merkle tree,
- any rewrite, injection, or silent modification by a forge is
detectable.
Commit signing strengthens author authentication and provenance,
but
compromised forge detection itself follows from Git's hash-based
object model.
This is not the only way a compromised forge is problematic; it
can present new bad code to users. Whoever controls the forge
will not be able to store an unauthorized commit in the
repository.
The authentication mechanism serves multiple purposes:
- it shows what keys (~ contributors) are authorized to commit
- it shows the *history* of changes to commit authorization
- it validates that all commits have been pushed by people with
access to the private keys that were authorized at that time
None of that is accomplished with a Merkle tree.
I wished you would not call for abolishing this mechanism as a
tangent to the discussion of whether there are rules relating to
force pushing, especially when you choose not to acknowledge its
major benefits.
--
Ricardo
