On Mon, 25 Apr 2005, Paul Jakma wrote:
You dont even need it, see my other mail. If:
- the signature is an object and added after the commit object
- tools know that signatures are 'proxies of' or precursors to the
objects they are signing (which makes sense, a signature by
definition refers to something else)
- the signature object refers to the object it is signing (eg a
'Signing <object ID>' header)
Then head can simply be the signature object and tools can find the
commit by following the 'Signing' field of the signature (they dont
even need to check the signature is valid). No index lookup needed.
You only need the index for historical verification really, and you can
always generate an index if needs be. (and have the tools maintain it).
Uh, I have no idea whether verifying a signature of a commit object
is sufficient, ie equivalent to signing each file.
commit refers to tree objects, which I presume lists the SHA-1 object
IDs of files, but IIRC Linus already described why a signature of the
commit object should not be used to trust the rest of commit.. (i'll
have to find his mail). If so, an index is required.
regards,
--
Paul Jakma [email protected] [email protected] Key ID: 64A2FF6A
Fortune:
Old programmers never die, they just hit account block limit.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
