From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <drepper@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by sourceware.org (Postfix) with ESMTPS id 5E55A3857C4A
	for <gcc@gcc.gnu.org>; Wed, 28 Sep 2022 17:03:35 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5E55A3857C4A
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1664384615;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=oCedD7Xub9OoFwU9LHFmMyl1ByNFGee2yn6pIySddOQ=;
	b=JD4urZwMknFdoECmHfppRK52QQ06ev0L8rqwt/8iHumLLT9Ag6w0HUd/pCill8vuwJ9bxL
	Ors4011eWni9qcfT7FQIKe9wr6sxGfpgqjrbRoiAAJxWGp1cqbknShaqT2k/mrAFl+zx1F
	1xup8gSEoWXN0VmR42kJ1rmDllN8mII=
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com
 [209.85.214.199]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
 us-mta-339-E3-lpCNZMKmaGWlzYrfDrQ-1; Wed, 28 Sep 2022 13:03:29 -0400
X-MC-Unique: E3-lpCNZMKmaGWlzYrfDrQ-1
Received: by mail-pl1-f199.google.com with SMTP id m10-20020a170902db0a00b001789bd49db9so8661947plx.23
        for <gcc@gcc.gnu.org>; Wed, 28 Sep 2022 10:03:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date;
        bh=oCedD7Xub9OoFwU9LHFmMyl1ByNFGee2yn6pIySddOQ=;
        b=ryghNQXx3xAV4arS1uHcjkZnCuDPMq0KCFPM3XZTzhvurBcy0y0k8rgWZsalJKBg8I
         HUgmprdVwm7e0AsbVSPt46/BjBGnwKsNrBvyB83qOrE5gO71Kk0RYdgZXbzu9Cx+zbi8
         BmMWucPGI1TbTr5SBTlNdW7UPf53DGbaTwWUvG9rD7xkcZs9t4TJWffpi1HOnGBJIrVI
         rcZcvhflTYJQk+AXMX18t0qKxK+asrZBSjE958ojHpeYuW5gf1R9jYr1uWv4jS/+WYtU
         w9cqUt3gex10hwru+2DKV1GycF2xMjAI3G2cjl3nGIr2TGTWNjx7/4+GKCkgnYAgd61/
         HELQ==
X-Gm-Message-State: ACrzQf3DAvMeJdHTvjf3jLs9npymN5McJt1Yc8DuYcq/UngDkV+t/s69
	sz7ZK6Ihicm46EwI0Coe9SUJk0ms790Jytfp5OVsy/yThP8xCOM0u5Be9zuNvEGZMD3eFJ7CPKW
	O7Z88m6D/JODCQ6GBFyNq2SA=
X-Received: by 2002:a63:69ca:0:b0:43c:1ef6:ae9d with SMTP id e193-20020a6369ca000000b0043c1ef6ae9dmr28242886pgc.79.1664384608962;
        Wed, 28 Sep 2022 10:03:28 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5OVrMskthGx9xXla3MDiWoyh15nQH4WoIQBAo65VTOyVBQ5fRT+GJDfq7y9fN7BT5QxDJw0nUBt1ubR8hQ6js=
X-Received: by 2002:a63:69ca:0:b0:43c:1ef6:ae9d with SMTP id
 e193-20020a6369ca000000b0043c1ef6ae9dmr28242861pgc.79.1664384608711; Wed, 28
 Sep 2022 10:03:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAP3s5k_KxtoHcEff7B=m9ew1w4YZZg6o4_1EhyjT0dc0_B9USA@mail.gmail.com>
 <CAFiYyc1r0JKh1VG_=YSuvzp2QWs+wsU_C6=4O79iwABOSxDx8Q@mail.gmail.com> <CAP3s5k9H5f68r96HyMb5Pk1-_5sCX42Cu1vjqCXMQQSmOeycpA@mail.gmail.com>
In-Reply-To: <CAP3s5k9H5f68r96HyMb5Pk1-_5sCX42Cu1vjqCXMQQSmOeycpA@mail.gmail.com>
From: Ulrich Drepper <drepper@redhat.com>
Date: Wed, 28 Sep 2022 19:03:17 +0200
Message-ID: <CAP3s5k-HygxYwOVbkRj36oByw1SyoT7J3MAttHoOdB91ggZ-DQ@mail.gmail.com>
Subject: Re: commit signing
To: Richard Biener <richard.guenther@gmail.com>
Cc: Ulrich Drepper via Gcc <gcc@gcc.gnu.org>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/alternative; boundary="0000000000005f517305e9bfbd14"
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

--0000000000005f517305e9bfbd14
Content-Type: text/plain; charset="UTF-8"

On Wed, Sep 14, 2022 at 2:07 PM Ulrich Drepper <drepper@redhat.com> wrote:

> On Wed, Sep 14, 2022 at 1:31 PM Richard Biener <richard.guenther@gmail.com>
> wrote:
>
>> How does this improve supply chain security if the signing happens
>> automagically rather than manually at points somebody actually
>> did extra verification?
>
>
> It works only automatically if you have ssh-agent (and/or gpg-agent)
> running.  I assume that's what developers do anyway because that's how they
> like push changes to sourceware.  If you don't have an agent you'll have to
> provide the signature of the signing key at the time of the commit.
>


This was the last message I sent and no further questions or comments
arrived.

Shall I prepare a small patch with an initial version of the key files
(with my key), perhaps a patch to the setup script Jonathan mentioned, and
a few words to be added to a README or similar file (which?)?

Initially this could be optional and we could gather data on the pickup and
only after an initial period switch to make the signing mandatory.

--0000000000005f517305e9bfbd14--