From: Mark Wielaard <mark@klomp.org>
To: "Frank Ch. Eigler via Overseers" <overseers@sourceware.org>
Cc: "Frank Ch. Eigler" <fche@elastic.org>
Subject: Re: gitsigur for protecting git repo integrity
Date: Tue, 4 Jul 2023 10:32:45 +0200 [thread overview]
Message-ID: <20230704083245.GB11693@gnu.wildebeest.org> (raw)
In-Reply-To: <ZJ3Tihvu6GbOb8/R@elastic.org>
Hi Frank,
On Thu, Jun 29, 2023 at 02:55:06PM -0400, Frank Ch. Eigler via Overseers wrote:
> > I'd like to share a little gadget I've been working on recently.
> >
> > It's a prototype git server hook for allowing participating projects
> > to check and/or enforce that commits to certain branches of
> > shared-access git repos such as those on sourceware are properly
> > gpg-signed. [...]
>
> Some questions have arisen offline about the relationship of this
> script to systems such as sigstore and b4. Here's a rough comparison
> of the three. This is pretty terse point-by-point analysis. I'd be
> happy to elaborate on any aspect of it.
>
> tl;dr: Overall, it turns out to be more of a composition situation
> rather than competition.
Very nice, this was very helpful.
On irc we also discussed signed git pushes (which are now also enabled
on sourceware). Which provides another "layer" of integrity.
As reply to our fosstodon post
https://fosstodon.org/@sourceware/110629743586988452 someone from the
tor project posted an overview of "Git repository integrity solutions"
they wrote up for their project:
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#git-repository-integrity-solutions
It references this discussion, so now I am completing the circle :)
Cheers,
Mark
next prev parent reply other threads:[~2023-07-04 8:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-17 0:03 Frank Ch. Eigler
2023-06-18 23:03 ` Mark Wielaard
2023-06-19 20:20 ` Frank Ch. Eigler
2023-06-29 18:55 ` Frank Ch. Eigler
2023-07-04 8:32 ` Mark Wielaard [this message]
2023-07-05 18:25 ` Mark Wielaard
2023-07-05 20:01 ` Frank Ch. Eigler
2023-07-10 21:35 ` Ludovic Courtès
2023-07-10 22:05 ` Frank Ch. Eigler
2023-07-14 13:18 ` Ludovic Courtès
2023-07-14 14:00 ` Frank Ch. Eigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230704083245.GB11693@gnu.wildebeest.org \
--to=mark@klomp.org \
--cc=fche@elastic.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).