lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7vk45ocl8j.fsf@alter.siamese.dyndns.org>
Date:	Thu, 22 Dec 2011 14:09:00 -0800
From:	Junio C Hamano <gitster@...ox.com>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Jeff Garzik <jeff@...zik.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-ide@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [git patch] libata build fix for 3.2-rc

Linus Torvalds <torvalds@...ux-foundation.org> writes:

> On Thu, Dec 22, 2011 at 12:20 PM, Jeff Garzik <jeff@...zik.org> wrote:
>>
>> A sparc build fix...
>
> Pulled..
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>
> And these days it would actually be better if you just use git signed
> tags instead, and ask me to pull them. You don't need to do anything
> special per se (just "git tag -s" to create the signature, and then
> "git push -tags" to push it out), it's only the merger who has to then
> have a recent enough git version that pulling the tag will DTRT. And I
> do.

"git push --tags" may be a bit too much. A lieutenant can just push that
signed tag being requested to get pulled and nothing else. And after the
integrator responds to the request, the signed tag can be removed from the
publishing repository of the requestor to keep namespace clean and neat.

> See
>   https://lkml.org/lkml/2011/12/14/543
>
> that I sent to Ted about how it ends up looking - you can check out
> that commit 2240a7bb479c with "git show" and "git cat-file commit" to
> see how your signature would be archived and saved without actually
> being bothersome when just looking at the history.

This falls into a shameless plug category, but at http://goo.gl/3OImV
there is my write-up on the whole workflow.

We would need to add some Porcelain support for third-party (as opposed to
the integrator who is resonding to the pull request and verifies the
signed tag himself) auditors, by the way.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ