Re: [task #4633] GPG-Signed Commits

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [task #4633] GPG-Signed Commits

From:	Sylvain Beucler
Subject:	Re: [task #4633] GPG-Signed Commits
Date:	Wed, 21 Sep 2005 19:52:14 +0200
User-agent:	Mutt/1.5.9i

On Mon, Sep 19, 2005 at 04:01:55PM -0400, Derek Price wrote:
> [...] but the most
> important step is the client verification, I think.  The server
> authorization already probably depends on SSH keys or somesuch.

I don't think GPG can be used to authenticate users. Malicious people
could resubmit old commits (with known security issues), or garbage
(signed mails), for example.

I know that that's exactly what is done at Savannah and ftp.gnu.org
for the upload system - it not a Good Thing nonetheless.

-- 
Sylvain

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [task #4633] GPG-Signed Commits, (continued)

Prev by Date: RE: [Cvs-test-results] Build CVS (TRUNK) failed.
Next by Date: Re: [Cvs-test-results] Build CVS (TRUNK) failed.
Previous by thread: Re: [task #4633] GPG-Signed Commits
Next by thread: Re: [task #4633] GPG-Signed Commits
Index(es):
- Date
- Thread