Storage internals: UUID

Mark Grandi markgrandi at gmail.com
Thu Jun 14 03:30:08 UTC 2012 

Sorry daniel, i keep forgetting to change the 'to' field to the mailing
list rather then the person i'm replying to...

(real message)

I'm just really bad at explaining myself, but yes this ins't about gpg
(totally at least) but it does seem to me that if we just put the parent's
sha1 hash in the long form of the testament, we would be able to verify the
history of the branch. Am I right in this assumption? are there any
repercussions of adding this to the testament output?

On Tue, Jun 12, 2012 at 7:54 PM, Daniel Carrera <dcarrera at hush.com> wrote:

>
>
> On Wednesday, June 13, 2012 at 4:00 AM, Mark Grandi <markgrandi at gmail.com>
> wrote:
> >
> > I know how gpg works, sorry if you misunderstood my question, but what
> happens
> > if my commiter email is 'mark at example.com', i create a gpg key
> with
> > that email and sign my commits, now evil bob, also creates a gpg key
> with my email
> > address, and then he can theoretically resign the signature text and it
> would be valid
> > with HIS key, but not mine, im just confused on what happens since the
> only identifier in
> > the signature text is the email,
>
> You say you understand how GPG works, but your question should be more
> than covered by your previous knowledge and what I wrote in my previous
> email:  It doesn't matter if the text your are signing has your email. Why
> would GPG care? The text being signed is not trusted until the signature
> has been checked. That is the whole *point* of a signature. You also do
> *not* trust that a GPG key comes from the owner of mark at example.com just
> because the key claims that it does. That would be absurd.
>
> This is not about Bzr or the testament file. This is something universal
> that goes to the very point of having GPG signatures. Imagine that you
> receive a contract from Bill Gates for $100M for some candy. The contract
> claims to be fro Bill Gates. It certainly has his physical address, email
> address and signature. It even has a GPG signature that claims to be from
> gates at microsoft.com... Do you trust it?
>
> This is the whole point of GPG, the web of trust, and everything I wrote
> in my previous post. You do NOT trust a key until you  have verified it
> through some alternate channel that you trust enough for your purposes.
> What channel you deem acceptable is a function of how much security you
> feel you need.
>
> Anyway, I think that this is getting off topic... Discussions of GPG and
> how it works probably don't belong in this forum.
>
>
> Daniel.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/bazaar/attachments/20120613/d9a28f5d/attachment-0001.html>

More information about the bazaar mailing list