[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Commits signed by key not registered on Savannah
|
From: |
Leo Famulari |
|
Subject: |
Re: Commits signed by key not registered on Savannah |
|
Date: |
Sun, 12 Feb 2017 18:01:45 -0500 |
|
User-agent: |
Mutt/1.7.2 (2016-11-26) |
On Sun, Feb 12, 2017 at 04:55:14PM -0500, Mark H Weaver wrote:
> David Craven <address@hidden> writes:
> > The integrity of our source code is given by peer review - we are
> > subscribed to the commits ML so we see other peoples commits.
>
> If we're concerned about security (and we should be), then we should not
> rely on the commits mailing list (or any web interface) to show us the
> same set of commits that have been pushed to the repo. An attacker
> could prevent some of those emails from reaching us, or modify them in
> transit to introduce a malicious commit into our repository without it
> being noticed.
In fact, the guix-commits mailing list was not sending any messages for
a few days recently:
http://lists.gnu.org/archive/html/savannah-hackers-public/2017-02/msg00030.html
signature.asc
Description: PGP signature
- Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/11
- Re: Commits signed by key not registered on Savannah, David Craven, 2017/02/11
- Re: Commits signed by key not registered on Savannah, Ludovic Courtès, 2017/02/11
- Re: Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/11
- Re: Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/11
- Re: Commits signed by key not registered on Savannah, David Craven, 2017/02/11
- Re: Commits signed by key not registered on Savannah, ng0, 2017/02/12
- Re: Commits signed by key not registered on Savannah, David Craven, 2017/02/12
- Re: Commits signed by key not registered on Savannah, Ludovic Courtès, 2017/02/12
- Re: Commits signed by key not registered on Savannah, Mark H Weaver, 2017/02/12
- Re: Commits signed by key not registered on Savannah,
Leo Famulari <=