[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [task #4633] GPG-Signed Commits

From: Sylvain Beucler
Subject: Re: [task #4633] GPG-Signed Commits
Date: Wed, 21 Sep 2005 19:52:14 +0200
User-agent: Mutt/1.5.9i

On Mon, Sep 19, 2005 at 04:01:55PM -0400, Derek Price wrote:
> [...] but the most
> important step is the client verification, I think.  The server
> authorization already probably depends on SSH keys or somesuch.

I don't think GPG can be used to authenticate users. Malicious people
could resubmit old commits (with known security issues), or garbage
(signed mails), for example.

I know that that's exactly what is done at Savannah and ftp.gnu.org
for the upload system - it not a Good Thing nonetheless.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]