[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [task #4633] GPG-Signed Commits

From: Derek Price
Subject: Re: [task #4633] GPG-Signed Commits
Date: Fri, 09 Sep 2005 23:52:21 -0400
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Sylvain Beucler wrote:

>Another "benefit" is that in the case of a new server compromise, and
>if a CVS file is successfully altered, the person to blame is not the
>server maintainer anymore (for not securing the server properly), but
>rather the developer (for not securing his GPG keys properly).
>Of course that's no excuse for poor security.

Of course, a "developer compromise", where a hacker gains access to a
single developer's GPG keys, might compromise a handful of projects, and
even something as simple as an email list for commit messages might help
mitigate that worry.  A server compromise, without commits signed by
individual developers, might compromise, well, Savannah is showing 2468
projects right now.



Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125

reply via email to

[Prev in Thread] Current Thread [Next in Thread]