[botan-devel] Moving to git?
code at funwithsoftware.org
Wed Jan 2 13:42:09 EST 2013
On Jan 2, 2013, at 8:27 AM, Jack Lloyd wrote:
> I also don't really understand yet what authenticity properties git
> does or does not try to enforce: if I pull sources from github, what
> can I be confident about in my checked out tree? As I understand it
> git doesn't even sign revisions, making me think anyone with direct
> write access to the primary repo can manipulate the history, perhaps
> without detection.
My understanding is that the SHA-1 for a particular git commit is a
digest (recursively) of all the history that went before it.
Therefore, as long as you know the SHA-1 for a particular point in
time, you can be assured that nothing in the past has been tampered
(This actually makes it a bit of a pain if you ever want to change
history intentionally, because any branches anyone has after that
point are invalidated, and you have to do a bit of magic to get them
back in sync again.)
Of course, yes, since it's not actually using digital signatures, you
have no assurance that any *new* commits are from who they say they're
from. (Just like in email, anyone could claim to be
lloyd at randombit.net.) But you are at least assured that the past
hasn't been tampered with. (As long as you trust SHA-1, of course.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the botan-devel