Thread (13 messages) 13 messages, 8 authors, 2016-06-15

Re: [Survey] Signed push

From: Jonathan Nieder <hidden>
Date: 2016-06-15 22:52:02

Nguyen Thai Ngoc Duy wrote:
On Wed, Sep 14, 2011 at 2:45 AM, Junio C Hamano [off-list ref] wrote:
quoted
An alternative that I am considering is to let the requester say this
instead:

   are available in the git repository at:
     git://git.kernel.org/pub/flobar.git/ 5738c9c21e53356ab5020912116e7f82fd2d428f
[...]
Stupid question, if we agree to go with signed push, can we also sign
pull requests and verify them when we pull? I suppose most of the
time, pulling can be done automatically by extracting pull url from
the request. This would make pull/push both signed.

BTW, there's a third way (rsync is obsolete) to carry changes away in
human-unreadable way: bundles. Should we also sign the bundles too (I
guess we could just do the same as in signed push).
If I understand you correctly, then ordinary PGP email signing[1]
should work for that already.  In your first example, the receiver can
make sure whatever process grabs a pull request verifies it, and in
the second example, the receiver checks the signature on her email
before saving a bundle and passing it to "git fetch".

[1] http://www.phildev.net/pgp/gpgmua.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help