bzr.dev missing signatures

John A Meinel john at arbash-meinel.com
Mon May 8 17:54:52 BST 2006 

Robert Collins wrote:
> On Sat, 2006-05-06 at 23:14 -0500, John Arbash Meinel wrote:
>> In testing my 'bzr verify-sigs' plugin, I found that bzr.dev doesn't
>> have as many signatures as it should. I'm also don't believe that it has
>> all of Robert's signatures.
>>
>> Could we run "bzr pull-sigs" from my plugin:
>> http://bzr.arbash-meinel.com/plugins/signing/
>>
>> The basic problem is that merging from a branch doesn't pull in
>> signatures for revisions that it already has. So 'pull-sigs' just forces
>> it to check for any new signatures.
> 
> With knits this should be cheap : patches to fetch to grab signatures
> for all revisions held locally might be a good idea... though there are
> security ramifications too I guess.
> 
> Rob

I think I would prefer to hold off on that until we actually have
signature verification. Using the indexes you can easily figure out what
needs to be merged, and then you can pull them, verify them, and save them.

That was part of why I updated my 'signing' plugin. Because I realized
that just checking the signature wasn't enough. You could have a
signature of bogus text.

We also need to decide whether we want to support signing commits that
don't match on email address. (Whether because john at arbash-meinel.com is
signing commits for john at johnmeinel.com, or because I'm approving
abentley at utoronto.ca commits).

As a first draft, I would really consider setting it to require that the
email addresses match. But I don't know how to extract the address from
gpg. And I assume you would want the rich pyme/libgpgme interface,
rather than calling out to gpg --verify and reading the output of stderr.

For my signing plugin, I might actually go ahead and do that. At least
search through the 'aka' texts for a matching email address. I'm
thinking it is a lot better to just match the email portion, since there
are a lot of variations on how to write your name:
  John Meinel
  John A Meinel
  John Arbash Meinel
  Meinel, John A
...

John
=:->

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060508/721cf16e/attachment.pgp

More information about the bazaar mailing list