From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=UXQP=C4=gnu.org=ludo@sourceware.org>
Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:470:142:3::10])
	by sourceware.org (Postfix) with ESMTPS id 97CEB3858CDA
	for <overseers@sourceware.org>; Mon, 10 Jul 2023 21:35:45 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 97CEB3858CDA
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gnu.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gnu.org
Received: from fencepost.gnu.org ([2001:470:142:3::e])
	by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.90_1)
	(envelope-from <ludo@gnu.org>)
	id 1qIyXn-0004nQ-Bw; Mon, 10 Jul 2023 17:35:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
	s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
	From; bh=zaS6aUMg+GCe5lVkQS5+yXHqrQAp44gpadJctddv8Kk=; b=pZ941kskvXmQ+N6VjGhH
	A4NpKTAK3+vlfVQ2vRwqirodT1XRms4oyp0i3g8i8B3LwYl/YG+xdGRtr03w8zrWNJkYCCezuzRKZ
	vC1gXWX+jIqDugRiH10N22vAD/hT7oaUzu5b8J4GlGgGZ6FrWjDrOzM14pkmLMG4nuYlaJKDa7iHA
	6NMnU1PlgdbfXmBsry3yEwObUihqoy/XZ2Uyn17oCrC2ZFZqx/fUFIFavR/uEvT5hlXfcF+aZCUDA
	27xI2BtR6gfAC6HOt4O2YV9OsE4eIbMuD5T0qEaMWwY60+p1IBGS0KZ36s9XaMybNsNtDlAqgoKYV
	wC4Zo0PSKXaP+g==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon)
	by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.90_1)
	(envelope-from <ludo@gnu.org>)
	id 1qIyXm-0001nV-TI; Mon, 10 Jul 2023 17:35:43 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: "Frank Ch. Eigler" <fche@redhat.com>
Cc: Overseers mailing list <overseers@sourceware.org>,  Mark Wielaard
 <mark@klomp.org>,  "Frank Ch. Eigler" <fche@elastic.org>
Subject: Re: gitsigur for protecting git repo integrity
References: <ZIz4NB/AqWpSNj5d@elastic.org> <ZJ3Tihvu6GbOb8/R@elastic.org>
	<20230704083245.GB11693@gnu.wildebeest.org>
	<20230705182544.GF11693@gnu.wildebeest.org>
	<20230705200131.GI25859@redhat.com>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Duodi 22 Messidor an 231 de la =?utf-8?Q?R=C3=A9volu?=
 =?utf-8?Q?tion=2C?= jour du Cumin
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 10 Jul 2023 23:35:40 +0200
In-Reply-To: <20230705200131.GI25859@redhat.com> (Frank Ch. Eigler's message
	of "Wed, 5 Jul 2023 16:01:31 -0400")
Message-ID: <87ilar78lv.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <overseers.sourceware.org>

Hi,

"Frank Ch. Eigler" <fche@redhat.com> skribis:

>>   My understanding is that gitsigur checks signatures against an
>>   out-of-band list of authorized keys, which isn=E2=80=99t very useful b=
ecause
>>   the set of authorized committers changes over time.
>
> The list of authorized keys is stored in a selected branch

If it=E2=80=99s in another branch than the code it=E2=80=99s about, how can=
 you tell
whether a key was authorized at a given point in the commit history?

Thanks,
Ludo=E2=80=99.