Re: Postfix VCS repository
Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse
Re: Postfix VCS repository
Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse PGP? I don't think so. As for integrity checks, there is git which does checks based on SHA1. Git also references OpenSSL keys.
Re: Postfix VCS repository
On Thu, 2009-10-01 at 13:27 -0400, Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Apparently both Mercurial and git support it, at least for explicitly signed revisions: http://mercurial.selenic.com/wiki/GpgExtension http://www.kernel.org/pub/software/scm/git/docs/git-tag.html I should probably try using those too. :) signature.asc Description: This is a digitally signed message part
Re: Postfix VCS repository
Brian Evans - Postfix List: Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse PGP? I don't think so. Then we agree. A system that computes SHA1 without secret key provides no detection of after-the-fact changes. Wietse
Re: Postfix VCS repository
Wietse Venema wrote: Brian Evans - Postfix List: Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse PGP? I don't think so. Then we agree. A system that computes SHA1 without secret key provides no detection of after-the-fact changes. Wietse I should Google more before replying as Timo pointed out my misunderstandings.
Re: Postfix VCS repository
On Thu, Oct 01, 2009 at 01:46:51PM -0400, Wietse Venema wrote: Then we agree. A system that computes SHA1 without secret key provides no detection of after-the-fact changes. Except that the SHA-1 signature is just 20 bytes covering the entire tree, and there are *many* trees (no single master), with some more stable than others, the digests of the stable trees can be signed and/or saved off-line. Tampering with prior history in a tree is hard, if one wants to convince all the other tree copies that the the altered tree is genuine. One can of course create new leaf nodes (patches), but these are clearly visible as new revisions. So git is IIRC more tamper-evident than it seems at first glance, provided that there are lots of trees (which is typically the case), and developers notice that their tree is inconsistent with the previously common history of a tree they are pulling from or pushing to. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.