[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [task #4633] GPG-Signed Commits
From: |
Derek Price |
Subject: |
Re: [task #4633] GPG-Signed Commits |
Date: |
Tue, 04 Oct 2005 14:19:41 -0400 |
User-agent: |
Mozilla Thunderbird 1.0.7 (Windows/20050923) |
Mark D. Baushke wrote:
> >Hrm. Perhaps the best solution would still be just to use the
> >commitid? If we ever find a system where both time() and /dev/urandom
> >are broken, then we can worry about using a counter as described above
> >as a fallback?
>
>
> I would actually suggest that if time() is broken on the server, that
> using gpg should just be disabled as it will never be possible to
> validate a signature in that case.
It would not be possible for the server to validate the signature, but a
client still could. In the implementation we've been discussing, the
server need not be configured to validate signatures.
Of course, a server that can't put timestamps in the CVS archives is
arguably broken anyhow and perhaps not a reasonable porting target? Of
course, such a server might still work otherwise. I haven't heard of
anybody doing this but that doesn't mean it isn't being done. Again,
though, I think this case may almost certainly be safely ignored until
we see bug reports about it.
Summary of my current conclusion: Stick with commitid as currently
implemented for use as the sequence identifier with signed-commits: NOW
+ 8 RANDOM BYTES, converted to base 62.
Regards,
Derek
--
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek@ximbiot.com>
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/10/03
- Re: [task #4633] GPG-Signed Commits, Jim Hyslop, 2005/10/03
- Re: [task #4633] GPG-Signed Commits, Frank Hemer, 2005/10/03
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/10/03
- Re: [task #4633] GPG-Signed Commits, Bernd Jendrissek, 2005/10/05
- Re: [task #4633] GPG-Signed Commits, Alexander Taler, 2005/10/05
- Re: [task #4633] GPG-Signed Commits, Jim Hyslop, 2005/10/05
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/10/05
- Re: [task #4633] GPG-Signed Commits, Jim Hyslop, 2005/10/05
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/10/05