Re: ‘core-updates’ merge is a squashed commit

[Andy Wingo]

On Thu 04 Aug 2016 22:05, Leo Famulari <address@hidden> writes:

> On Thu, Aug 04, 2016 at 06:55:34PM +0200, Andy Wingo wrote:
>> On Thu 04 Aug 2016 18:44, Leo Famulari <address@hidden> writes:
>> 
>> > How would the rest of us distinguish between
>> >
>> > 1) a range of your commits with a signed HEAD
>> > 2) a range of your commits with a signed HEAD that you pushed after I
>> > pushed a commit created with `git commit --author="Andy Wingo"
>> 
>> I'm not sure what the threat model here is, and surely this is mostly
>> because I am ignorant :)  Would you mind elaborating a bit more?
>
> I admit, the example is really contrived.
>
> My point is that, as far as I know, there is no way to know who exactly
> is behind an unsigned Git commit.
>
> The "Author" and "Commit" information seen in `git log --format=full` is
> trivially forged, for example by altering the [user] field of your Git
> configuration file.

Yeah.  I guess I don't see see "author misattribution on unsigned
commits" as part of the threat model.

My mental model is that if you have a signed commit A with unsigned
parents B, C, ..., that it's the person who signed commit A who signs
off on commits B, C, and so on.  That person attests to the integrity of
that range of commits, *including* the author field(s).

If you sign a HEAD which brings in an unsigned commit that you (or
someone else) forged to use me (say) as --author, it's true, I can claim
not to have made it.  But that seems a bit irrelevant to any property we
care about; dunno...

Andy