[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Arx-users] Signature command set
|
From: |
Kevin Smith |
|
Subject: |
Re: [Arx-users] Signature command set |
|
Date: |
Fri, 10 Dec 2004 09:27:41 -0500 |
On Fri, 2004-12-10 at 08:45 -0500, Walter Landry wrote:
> Kevin Smith <address@hidden> wrote:
> > So when I pull your patch into my archive, it remains signed by you, but
> > the resulting revision is signed by me?
>
> I am not quite sure by what you mean by "pull your patch". If you
> mirror my archive, then my signatures will go along with it. If you
> apply my patch to your tree and commit, my signature is no longer there.
Hm. Ok. So my current normal mode of working on ArX code is that I have
an arx.kevins branch in my local archive. Periodically, I "merge" from
wlandry, and commit. You're saying that by doing that, I am signing
everything that gets committed, and your signatures of those patches are
discarded.
That means that I am now responsible for verifying every single line of
code that you write, because I'm putting my signature on it. I had been
thinking that your signature would follow your patch, but I think I see
why it can't (because your patch might not apply cleanly to my archive).
I had thought that a signature would mean: "I, as the signer, take full
responsibility for every line of code herein. It does not contain
backdoors." That would be true if your patches were still signed by you
even after being committed into my archive.
In most cases, it won't really mean that. Instead, it will mean "I, as
the signer, believe that this code is probably good. The signature
ensures that you receive exactly the code that I intended to release."
That's valuable, but is not the paradigm I had expected. It's probably
worth explaining in some detail in the docs.
> I could put in a check to make sure that you are
> signing with a key listed in the archive. But I don't think that it
> is possible to eliminate all problems. For example, deleting a key
> instantly makes any revisions signed by that key invalid.
I agree that it won't solve everything, but I think the sign operation
should fail for any key that is not listed in the archive. Hm. On the
other hand, anyone who would have permission to sign would also have
permission to add themselves to the list of keys. But still, it's a
trivial check that would avoid an invalid case, so why not check.
> > By "single user", I mean that only one person has write access to an
> > archive. All group work is managed by pulling patches from other
> > readable archives, or emailing patches around.
>
> Ah. In that case, you still need all of the "sig" functionality,
> because keys can expire or become compromised.
I'm not sure there would ever be a need to have multiple active keys for
an archive in the "single-user" case, but since the more complex
"multi-user" case exists, there doesn't seem to be room for
simplification. Except possibly in the docs--not sure about that yet.
Kevin