bug-gettext
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gettext sign git tags possible?

From: Bruno Haible
Subject: Re: gettext sign git tags possible?
Date: Wed, 28 Aug 2024 12:21:31 +0200 
Hi,

Tobias Powalowski wrote:
> we are switching to git building on Arch Linux wherever possilbe, would 
> you be so kind and also sign the tags on gettext?

No, I won't.

1) The preferred form of distribution of packages source code, in GNU,
   are tarballs. We make regular releases, with tarballs on ftp.gnu.org,
   and these tarballs are signed with the uploader's GPG key.
   That is what you should use.

2) Regarding signing of git tags:
   I have read [1][2][3], and here's what I think:

     2.1) Signing tags without signing commits is pointless.
     2.2) Signing commits is a way to discourage / prohibit
          anonymous or pseudonymous contributions and therefore
          undesirable.
     2.3) Signing tags and commits would not have prevented
          the XZ backdoor disaster.

   In depth:

     2.1) Signing tags without signing commits is pointless.

          Proof:
          - Suppose an evil person makes bad commits that fool
            everyone, and then the (good) maintainer signs it. The bad
            commits are still in there; the maintainer's signature has
            not changed that.
          - If you trust a git repository, and someone pretends that a
            certain commit is the release, but it is in fact a different
            commit, what does it change? You may distribute code that is
            more buggy than usual. That's all.

          So really, what you need to do, is to pull from the upstream
          git repository, not from some person's mirror on github or else.

     2.2) Signing commits is a way to discourage / prohibit
          anonymous or pseudonymous contributions and therefore
          undesirable.

          Discouraging or prohibiting signed commits is a way of saying
          "we don't know your name, therefore we don't want your contributions".
          But
            - The need for anonymity in some situations is known for
              millenia [4].
            - "Asahi Lina" is a pseudonym. I'm glad that she contributes GPU
              drivers to Linux [5]. It is better than if she did not. It would
              be undesirable to ban her.

     2.3) Signing tags and commits would not have prevented
          the XZ backdoor disaster.

          Jia Tan had a GPG key [6]. A requirement to GPG-sign commits and/or
          tags would therefore not have prevented their actions.

CCing <jemarch@gnu.org>. Maybe you want to add your opinion to this thread?

Bruno   

[1] https://stackoverflow.com/questions/5663733/
[2] https://stackoverflow.com/questions/12188940/
[3] https://softwareengineering.stackexchange.com/questions/212192/
[4] The Bible, Gospel of John, chapter 7, verse 10.
[5] https://virtualyoutuber.fandom.com/wiki/Asahi_Lina
[6] 
https://www.reddit.com/r/archlinux/comments/1byfwy3/found_jia_tan_of_xz_package_backdoor_gpg_key_in/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]