[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [task #4633] GPG-Signed Commits
|
From: |
Derek Price |
|
Subject: |
Re: [task #4633] GPG-Signed Commits |
|
Date: |
Fri, 09 Sep 2005 23:52:21 -0400 |
|
User-agent: |
Mozilla Thunderbird 1.0.6 (Windows/20050716) |
Sylvain Beucler wrote:
>Another "benefit" is that in the case of a new server compromise, and
>if a CVS file is successfully altered, the person to blame is not the
>server maintainer anymore (for not securing the server properly), but
>rather the developer (for not securing his GPG keys properly).
>
>Of course that's no excuse for poor security.
>
>
Of course, a "developer compromise", where a hacker gains access to a
single developer's GPG keys, might compromise a handful of projects, and
even something as simple as an email list for commit messages might help
mitigate that worry. A server compromise, without commits signed by
individual developers, might compromise, well, Savannah is showing 2468
projects right now.
Regards,
Derek
--
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek@ximbiot.com>
- Re: [task #4633] GPG-Signed Commits, (continued)
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/09/24
- Re: [task #4633] GPG-Signed Commits, Mark D. Baushke, 2005/09/24
- Re: [task #4633] GPG-Signed Commits, Jim Hyslop, 2005/09/21
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/09/21
- Re: [task #4633] GPG-Signed Commits, Jim Hyslop, 2005/09/21
- Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/09/21
- Re: GPG-Signed Commits and RCS Keyword exploit [long], Jim Hyslop, 2005/09/22
- Re: GPG-Signed Commits and RCS Keyword exploit [long], Derek Price, 2005/09/22
Re: [task #4633] GPG-Signed Commits, Derek Price, 2005/09/09
Re: [task #4633] GPG-Signed Commits, Jim Hyslop, 2005/09/10