Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- Date: Thu, 20 Sep 2012 09:44:27 +0900
- From: Curt Sampson <cjs@example.com>
- Subject: Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- References: <CA+su7OWvHruqQ8MVWKqkGNSwrnLS0GeZECk=B4P4AwWN=qR8eg@mail.gmail.com> <87627grg2i.fsf@uwakimon.sk.tsukuba.ac.jp> <20120915065609.GB9846@homeric.cynic.net> <87wqzvpci6.fsf@uwakimon.sk.tsukuba.ac.jp> <20120915152427.GA32537@homeric.cynic.net> <87txuypjck.fsf@uwakimon.sk.tsukuba.ac.jp>
- User-agent: Mutt/1.5.21 (2010-09-15)
On 2012-09-16 15:33 +0900 (Sun), Stephen J. Turnbull wrote:
> Curt Sampson writes:
> > On 2012-09-15 23:49 +0900 (Sat), Stephen J. Turnbull wrote:
> >
> > > But what do you propose signing in the case of a direct checkout of
> > > rev deadbeefcafefeedbeadbabefacebadedeedaced from a public git
> > > repository? The rev id, I guess?
> >
> > The revision itself. The ability to do that is built in to git with "git
> > tag --sign".
>
> All that does is sign the commit object, which contains a tree id and
> metadata. For our purpose, there's no difference: it still depends on
> the chain of SHA1s. Linus never claimed this provides good security,
> just that it's better than no signature.
Huh. I'd never looked too closely at that.
Well, the obvious thing to do here is really just to make a tar archive
of the source you're going to upload and sign that. It's a lot simpler
and a huge reduction in attack surface. Thinking about it, the whole
idea of invovling git (or any other RCS) at all now seems bad to me.
cjs
--
Curt Sampson <cjs@example.com> +81 90 7737 2974
It is easier to write an incorrect program than understand a correct one.
--Alan Perlis, Epigrams on Programming (#7)
- Follow-Ups:
- Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Stephen J. Turnbull
- Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- References:
- [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Edmund Edgar
- [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Stephen J. Turnbull
- Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Curt Sampson
- Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Stephen J. Turnbull
- Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Curt Sampson
- Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- From: Stephen J. Turnbull
- [tlug] Any way to make code running on a cloud service publicly verifiable?
- Prev by Date: Re: [tlug] (New to Tokyo) Where to find server/network equipment in Akihabara or anywhere within Tokyo?
- Next by Date: Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- Previous by thread: Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- Next by thread: Re: [tlug] Any way to make code running on a cloud service publicly verifiable?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |