lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 31 Mar 2016 21:19:49 -0400
From:	Theodore Ts'o <tytso@....edu>
To:	Mike Marshall <hubcap@...ibond.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Martin Brandenburg <martin@...ibond.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: Re: [git pull] orangefs bugfixes for rc2

On Thu, Mar 31, 2016 at 05:01:47PM -0400, Mike Marshall wrote:
> 
> but from our kernel.org tree... pull requests for reviewed code
> from kernel.org doesn't need signed tags...

Signed tags are considered best practice, even if your git tree is
hosted on git.kernel.org.  One of the reasons for this is because even
after Linus merges your changes, someone can independently verify that
the changes came from you; they don't have to trust Linus or whatever
git server they happened to pull the tree from.  For example, try
running the command:

  git show --show-signature faeb20ecfa398b043c3224607f512c009c51653d

You'll see something like this:

commit faeb20ecfa398b043c3224607f512c009c51653d
merged tag 'ext4_for_linus'
gpg: Signature made Wed 16 Mar 2016 05:25:58 PM EDT
gpg:                using RSA key 0xF2F95956950D81A3
gpg: Good signature from "Theodore Ts'o <tytso@....edu>" [ultimate]
gpg:                 aka "Theodore Ts'o <tytso@...ian.org>" [ultimate]
gpg:                 aka "Theodore Ts'o <tytso@...gle.com>" [ultimate]
Primary key fingerprint: 3AB0 57B7 E78D 945C 8C55  91FB D36F 769B C118 04F0
     Subkey fingerprint: 2B69 B954 DBFE 0879 2881  37C9 F2F9 5956 950D 81A3
Merge: 364e8dd 0304688
Author: Linus Torvalds <torvalds@...ux-foundation.org>
Date:   Thu Mar 17 16:31:18 2016 -0700

    Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
    
    Pull ext4 updates from Ted Ts'o:
     "Performance improvements in SEEK_DATA and xattr scalability
      improvements, plus a lot of clean ups and bug fixes"

So while a signed tag might not be _required_, it's definitely
preferred.

Cheers,

						- Ted

Powered by blists - more mailing lists