public inbox for
 help / color / mirror / Atom feed
From: Mark Wielaard <>
To: "Frank Ch. Eigler via Overseers" <>
Cc: "Frank Ch. Eigler" <>
Subject: Re: gitsigur for protecting git repo integrity
Date: Tue, 4 Jul 2023 10:32:45 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <ZJ3Tihvu6GbOb8/>

Hi Frank,

On Thu, Jun 29, 2023 at 02:55:06PM -0400, Frank Ch. Eigler via Overseers wrote:
> > I'd like to share a little gadget I've been working on recently.
> > 
> > It's a prototype git server hook for allowing participating projects
> > to check and/or enforce that commits to certain branches of
> > shared-access git repos such as those on sourceware are properly
> > gpg-signed.  [...]
> Some questions have arisen offline about the relationship of this
> script to systems such as sigstore and b4.  Here's a rough comparison
> of the three.  This is pretty terse point-by-point analysis.  I'd be
> happy to elaborate on any aspect of it.
> tl;dr: Overall, it turns out to be more of a composition situation
> rather than competition.

Very nice, this was very helpful.

On irc we also discussed signed git pushes (which are now also enabled
on sourceware). Which provides another "layer" of integrity.

As reply to our fosstodon post someone from the
tor project posted an overview of "Git repository integrity solutions"
they wrote up for their project:

It references this discussion, so now I am completing the circle :)



  reply	other threads:[~2023-07-04  8:32 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-17  0:03 Frank Ch. Eigler
2023-06-18 23:03 ` Mark Wielaard
2023-06-19 20:20   ` Frank Ch. Eigler
2023-06-29 18:55 ` Frank Ch. Eigler
2023-07-04  8:32   ` Mark Wielaard [this message]
2023-07-05 18:25     ` Mark Wielaard
2023-07-05 20:01       ` Frank Ch. Eigler
2023-07-10 21:35         ` Ludovic Courtès
2023-07-10 22:05           ` Frank Ch. Eigler
2023-07-14 13:18             ` Ludovic Courtès
2023-07-14 14:00               ` Frank Ch. Eigler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).