<div dir="ltr">I think this is the only project where people are concerened wether commit messages are signed or not.<br><br>Commit messages should be merged only upon their correctness, not their signature.<br><br>I could care less if I receive a buggy patch that's signed.</div>
<div class="gmail_extra"><br clear="all"><div><a href="http://twitter.com/gubatron" target="_blank">http://twitter.com/gubatron</a><br></div>
<br><br><div class="gmail_quote">On Sat, Aug 23, 2014 at 2:17 AM, Troy Benjegerdes <span dir="ltr"><<a href="mailto:hozer@hozed.org" target="_blank">hozer@hozed.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On Fri, Aug 22, 2014 at 09:20:11PM +0200, xor wrote:<br>
> On Tuesday, August 19, 2014 08:02:37 AM Jeff Garzik wrote:<br>
> > It would be nice if the issues and git repo for Bitcoin Core were not<br>
> > on such a centralized service as github, nice and convenient as it is.<br>
><br>
> Assuming there is a problem with that usually is caused by using Git the wrong<br>
> way or not knowing its capabilities. Nobody can modify / insert a commit<br>
> before a GnuPG signed commit / tag without breaking the signature.<br>
> More detail at the bottom at [1], I am sparing you this here because I suspect<br>
> you already know it and there is something more important I want to stress:<br>
><br>
> Bitcoin has currently 4132 forks on Github. This means that you can get<br>
> contributions by pull requests from 4132 developers. That is a HUGE amount,<br>
> and you shouldn't ditch that due to not using all features of git :)<br>
> To get a grasp of how much that is: When you search projects with more than<br>
> 4100 forks, there are only 32 of them!<br>
> You are one of the top open source projects, and you should be grateful for<br>
> that and keep Github up so the other people can send you pull requests with<br>
> their improvements :) Volunteer contributions need to be honored and made as<br>
> easy as possible, for people are investing their personal time.<br>
><br>
> Greetings and thanks for your work,<br>
> xor, one developer of <a href="https://freenetproject.org" target="_blank">https://freenetproject.org</a><br>
><br>
><br>
> [1] If you GPG-sign a commit / tag, you sign its hash, including the hash of<br>
> the previous commit. So is a chain of hashes and thus of trust from all<br>
> commits up to what is signed. It's pretty similar to the blockchain actually<br>
> :)<br>
> So Github cannot modify anything. If they did, the head of the hash-chain<br>
> would change, and thus the signature would break. Git would notify people<br>
> about that when they pull.<br>
> Of course people can still ignore that warning and let Github rewrite their<br>
> Git history. But people who aren't educated about this shouldn't be release<br>
> managers. They should not even have push access to your main repository, they<br>
> should only be sending pull requests. Thats is where the decentralization of<br>
> Git is: In the pull-requests. The people who deal with them should verify tag<br>
> and possibly even commit signatures carefully, and not accept anything which<br>
> is not signed. Also, before deploying a binary, the very same commit which is<br>
> going to become a binary has to be given a signed tag by the release manager,<br>
> and by everyone who reviews the code. The person who deploys the actual binary<br>
> needs to verify that signature.<br>
> There is an article which elaborates on some of the ways you have to ensure<br>
> Github doesn't insert malicious code - but please read it with care, some of<br>
> its recommendations are bad, especially the part where its about rebasing<br>
> because that DOES rewrite history which is what you want to prevent:<br>
> <a href="http://mikegerwitz.com/papers/git-horror-story" target="_blank">http://mikegerwitz.com/papers/git-horror-story</a><br>
><br>
><br>
<br>
<br>
</div></div>This is why I clone git to mercurial, which is generally designed around the<br>
assumption that history is immutable. You can't rewrite blockchain history,<br>
and we should not be re-writing (rebasing) commit history either.<br>
<br>
The problem with github is it's too tempting to look at the *web page*, which<br>
is NOT pgp-signed, and hit the 'approve' button when you might have someone<br>
in the middle approving an unsigned changeset because you're in a hurry to<br>
get the latest new critical OpenSSL 0day security patch build released.<br>
<br>
We need multiple redundant 'master' repositories run by different people in<br>
different jurisdictions that get updated on different schedules, and have all<br>
of these people pay attention to operational security, and not just outsource<br>
it all to github because it's convenient.<br>
<br>
<br>
There's no reason to *stop* using github, cause it *is* easy... but you want<br>
to have multiple review of *the actual code*, not just signatures and see<br>
if the changes really do make sense.<br>
<div class="im HOEnZb"><br>
--<br>
----------------------------------------------------------------------------<br>
Troy Benjegerdes 'da hozer' <a href="mailto:hozer@hozed.org">hozer@hozed.org</a><br>
7 elements earth::water::air::fire::mind::spirit::soul <a href="http://grid.coop" target="_blank">grid.coop</a><br>
<br>
Never pick a fight with someone who buys ink by the barrel,<br>
nor try buy a hacker who makes money by the megahash<br>
<br>
<br>
</div><div class="im HOEnZb">------------------------------------------------------------------------------<br>
Slashdot TV.<br>
Video for Nerds. Stuff that matters.<br>
<a href="http://tv.slashdot.org/" target="_blank">http://tv.slashdot.org/</a><br>
</div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href="mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-development@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/bitcoin-development" target="_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-development</a><br>
</div></div></blockquote></div><br></div>