From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jakub@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by sourceware.org (Postfix) with ESMTPS id 99F353858D37
	for <gcc@gcc.gnu.org>; Wed, 14 Sep 2022 12:07:20 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 99F353858D37
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1663157240;
	h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:  references:references;
	bh=71nxNCHI5aSJNfJEKK2z1CPiH9mC4ry7qZDxS3QQ3yw=;
	b=OFSc9qpZ6quMSqej9zDWQrmgB6j4fXfpL0pyy61EuSQQ7UVir2LPQzgpKJpDjfBNSccADf
	Jkn4yDgPhMllQ4gyWzhgRRD85vul3O4AWXUYwOPVfdzu3TTAtOGbaBNJO6e7iA0643lwpa
	9dGoyvYmjnxxiqlVdoBDF9R6wMRSIrk=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-556-gVA7vageOryFND0xT9eObw-1; Wed, 14 Sep 2022 08:07:19 -0400
X-MC-Unique: gVA7vageOryFND0xT9eObw-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F286A811E67;
	Wed, 14 Sep 2022 12:07:17 +0000 (UTC)
Received: from tucnak.zalov.cz (unknown [10.39.192.41])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B23A0492B05;
	Wed, 14 Sep 2022 12:07:17 +0000 (UTC)
Received: from tucnak.zalov.cz (localhost [127.0.0.1])
	by tucnak.zalov.cz (8.17.1/8.17.1) with ESMTPS id 28EC7Fdb1975854
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);
	Wed, 14 Sep 2022 14:07:15 +0200
Received: (from jakub@localhost)
	by tucnak.zalov.cz (8.17.1/8.17.1/Submit) id 28EC7E6U1975853;
	Wed, 14 Sep 2022 14:07:14 +0200
Date: Wed, 14 Sep 2022 14:07:14 +0200
From: Jakub Jelinek <jakub@redhat.com>
To: Richard Biener <richard.guenther@gmail.com>
Cc: Ulrich Drepper <drepper@redhat.com>,
        Ulrich Drepper via Gcc <gcc@gcc.gnu.org>
Subject: Re: commit signing
Message-ID: <YyHD8kwFVGJomghD@tucnak>
Reply-To: Jakub Jelinek <jakub@redhat.com>
References: <CAP3s5k_KxtoHcEff7B=m9ew1w4YZZg6o4_1EhyjT0dc0_B9USA@mail.gmail.com>
 <CAFiYyc1r0JKh1VG_=YSuvzp2QWs+wsU_C6=4O79iwABOSxDx8Q@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAFiYyc1r0JKh1VG_=YSuvzp2QWs+wsU_C6=4O79iwABOSxDx8Q@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

On Wed, Sep 14, 2022 at 01:31:06PM +0200, Richard Biener via Gcc wrote:
> How does this improve supply chain security if the signing happens
> automagically rather than manually at points somebody actually
> did extra verification?  That is, what's the attack vector this helps with?
> 
> What's the extra space requirement if every commit is signed?  I suspect
> the signatures themselves do not compress well.

Note, right now we sign the release tags and I think one basepoint
(basepoints/gcc-11) is signed too (but the rest of them aren't).

	Jakub