[Bitcoin-development] DarkWallet Best Practices

Peter Todd pete at petertodd.org
Thu Dec 19 17:44:06 UTC 2013


On Thu, Dec 19, 2013 at 04:04:17PM -0000, Amir Taaki wrote:

Looks like for this to actually go to the email lists they need to be in
the To: field.

> About signing each commit, Linus advises against it:
> 
> http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html
> 
> "Btw, there's a final reason, and probably the really real one. Signing
> each commit is totally stupid. It just means that you automate it, and you
> make the signature worth less. It also doesn't add any real value, since
> the way the git DAG-chain of SHA1's work, you only ever need _one_
> signature to make all the commits reachable from that one be effectively
> covered by that one. So signing each commit is simply missing the point."
> 
> What do you reckon?

His point is valid, but it's valid in the context of how Linux
development is done, not Bitcoin. The key difference being that Linus
and other kernel developers have a model where code is passed around on
mailing lists and between developers rather than stored on untrustworthy
third-parties like github.

For instance typically someone will submit a patch to the kernel
development mailing list, example:
http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg558841.html
That patch isn't signed, and the email itself doesn't have to be PGP
signed either. However a trusted maintainer of the relevant subsystem
will (in theory) look over the patch carefully and commit it to their
personal tree on a secure computer. (in theory)

At some point the maintainer will create a *signed* tag on a commit with
one or more patches, often many patches, another another maintainer
higher in the hierarchy (maybe even Linus) will *merge* that tag into
their tree, hopefully checking the signature first! Modern versions of
git actually include the tag signature in the merge commit, so the
result is signed by the original maintainer; note how this contradicts
Linus's email with regard to the idea of separable signatures.
Eventually multiple such groups of patches build up and the result is
tagged as a release, and that release tag is signed.

Accountability in this model rests with maintainers, and source-code
stays on a multitude of personal, secure, locations. (in theory)


However since we like to use github and tend to get code directly from
it our main risk is github (or similar) being compromised. Given that I
think we're much better off using per-commit signatures, and in effect
continually making the statement "Yes, this commit/merge was really
produced by me on my machine, although I may have made a mistake and
might not have looked at the code as thoroughly as I maybe should have."
The statement *is* weaker than Linus's model of "This signature is
Really Official and Stuff and I've carefully checked everything." but I
think we're much more interested in getting a strong guarantee on who
made the commit than some strong statement about its actual contents -
humans are fallible anyway.

> Also do you approve of the other link I sent you?
> 
> https://wiki.unsystem.net/index.php/DarkWallet/Negotiation

I think you're conflating identities with the messaging layer; focus on
the latter and use off-the-shelf identity systems like OpenPGP and SSL
certificate authorities. Remember that every new identity system that
gets involved is another way for an attacker to MITM attack you; you're
better off using whatever the user is using already.

-- 
'peter'[:-1]@petertodd.org
00000000000000016a442255c6d15cd6e085991c1efffc9caeff5fc6da14368a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20131219/84d0b90a/attachment.sig>


More information about the bitcoin-dev mailing list