[SSL Observatory] Observatory source code available via git
Robert Ransom
rransom.8774 at gmail.com
Fri May 13 11:34:15 PDT 2011
On Fri, 13 May 2011 13:25:49 -0400
Matt McCutchen <matt at mattmccutchen.net> wrote:
> On Fri, 2011-05-13 at 11:52 -0500, Chris Palmer wrote:
> > On May 13, 2011, at 11:35 AM, Daniel Kahn Gillmor wrote:
> > > As long as you are pulling (and properly verifying) signed tags, the
> > > git:// scheme provides entirely reasonable integrity protection.
> >
> > As far as I know, we don't sign any tags.
>
> And even if you did, signing does not guarantee that the ref is fresh or
> the one the user wants, rather than some commit from some project that
> you signed sometime in the past. As such, it is suitable for preventing
> the injection of malware but does not constitute integrity protection of
> a fetch operation.
The signed message contains all of the metadata in the tag object,
including the hash of the tagged commit and the tag name, and the GPG
signature contains a timestamp.
Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110513/355daa23/attachment.sig>
More information about the Observatory
mailing list