[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] Re: git security (SHA-1)
From:       hasufell <hasufell () gentoo ! org>
Date:       2014-09-21 11:53:47
Message-ID: 541EBC4B.8010208 () gentoo ! org
[Download RAW message or body]

Ulrich Mueller:
>>>>>> On Sun, 21 Sep 2014, Michał Górny wrote:
> 
>> Do you really consider keeping a key open for machine signing
>> somewhat secure?
> 
> You mean, as compared to manifests (or commits) signed by 250
> different developers' keys?
> 

That's the actual security problem in gentoo: 250 developers (which will
not be fixed by SHA256 and not by an infra key).

I think this discussion is derailing and unrelated to practical
security, but you keep talking _only_ about hashes instead of... well,
security which is not just about maths, but also about probability,
resources, configuration and project structure.

If you keep pushing into this direction without an implementation that
solves it then you will just have no one care about git migration any more.

[prev in list] [next in list] [prev in thread] [next in thread]