From patchwork Mon Oct 31 15:53:59 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Linus Torvalds X-Patchwork-Id: 122876 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A4F9CB6F69 for ; Tue, 1 Nov 2011 02:54:23 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934527Ab1JaPyW (ORCPT ); Mon, 31 Oct 2011 11:54:22 -0400 Received: from mail-wy0-f174.google.com ([74.125.82.174]:49595 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933538Ab1JaPyV (ORCPT ); Mon, 31 Oct 2011 11:54:21 -0400 Received: by wyg36 with SMTP id 36so5985754wyg.19 for ; Mon, 31 Oct 2011 08:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=ANx7LqzUSbpUU0VuSxawayFEfOoE2Qlou528da8Ez48=; b=inHMPZtxS0sNWjOkMWm3ModqeEMQDdA57G/DBzcPBN5WSp8Jw6eTrIy1yRCsAWI3vT 3eojfiFEHsiuCklXtu1xdPrNdIgrrd8LKWWeNzduN5UEn4BLjDwPefb1DeaqPRa3+UDX C19aI4GrfN5RfJjhIupZYlsbEukvW8f6yZlUk= Received: by 10.216.229.162 with SMTP id h34mr2456057weq.82.1320076460187; Mon, 31 Oct 2011 08:54:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.166.3 with HTTP; Mon, 31 Oct 2011 08:53:59 -0700 (PDT) In-Reply-To: <1320049150.8283.19.camel@dabdike> References: <20111026202235.GA20928@havoc.gtf.org> <1319969101.5215.20.camel@dabdike> <1320049150.8283.19.camel@dabdike> From: Linus Torvalds Date: Mon, 31 Oct 2011 08:53:59 -0700 X-Google-Sender-Auth: IMJ3a0cCQBPrDhU0LbvLXIsCxuw Message-ID: Subject: Re: [git patches] libata updates, GPG signed (but see admin notes) To: James Bottomley , Junio C Hamano Cc: Jeff Garzik , Andrew Morton , linux-ide@vger.kernel.org, LKML Sender: linux-ide-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ide@vger.kernel.org On Mon, Oct 31, 2011 at 1:19 AM, James Bottomley wrote: > >> That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive >> pain in the butt. We need to automate this some sane way, both for the >> sender and for the recipient. > > But this doesn't help with what practise you want us to follow.  Do you > want us to send full signed email using pgp encapsulation for pull > requests in spite of the mangling it does to attached patches and the > amount of extra pain it causes you? No. I don't want the *whole* email signed, because that is quite inconvenient: it means that I can't just cut-and-paste some signature, I have to save the email and verify it etc etc. So my preferred thing would literally be to make the signed part as small as possible with no odd characters or whitespace (top commit and probably repository name), so that I can cut-and-paste it and just have a terminal window open with "gpg --verify + paste + ^D" and I'm done. For the people who use "git request-pull", I'm attaching a trivial patch to make it add this kind of signature if you give it the "-s" flag. It basically just adds a hunk like the appended crazy example to the pull request, and it's small enough and simple enough that it makes verification simple too with just the above kind of trivial cut-and-paste thing. (Junio cc'd, I think he had something more complicated in mind) Now, admittedly it would be *even nicer* if this gpg-signed block was instead uploaded as a signed tag automatically, and "git pull" would notice such a signed tag (tagname the same as the branch name + date or something) and would download and verify the tag as I pull. Then I wouldn't even need to actually do the cut-and-paste at all. But this is the *really* simple approach that gets up 95% of the way there. And the attached patch is so trivial that if you aren't actually using "git request-pull" but instead have some home-cooked script to do the same, then you can just look at this patch and trivially change your script to do something very similar. Linus [ Example gpg-signed small block that the attached patch adds to the pull request: ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Commit be3fa9125e708348c7baf04ebe9507a72a9d1800 from git.kernel.org/pub/git -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQEcBAEBAgAGBQJOrsILAAoJEHm+PkMAQRiGxZcH/31e0RrBitXUPKxHJajD58yh SIEe/7i6E2RUSFva3KybEuFslcR8p8DYzDQTPLejStvnkO8v0lXu9s9R53tvjLMF aaQXLOgrOC2RqvzP4F27O972h32YpLBkwIdWQGAhYcUOdKYDZ9RfgEgtdJwSYuL+ oJ7TjLrtkcILaFmr9nYZC+0Fh7z+84R8kR53v0iBHJQOFfssuMjUWCoj9aEY12t+ pywXuVk2FsuYvhniCAcyU6Y1K9aXaf6w5iOY2hx/ysXtUBnv92F7lcathxQkvgjO fA7/TXEcummOv5KQFc9vckd5Z1gN2ync5jhfnmlT2uiobE6mNdCbOVlCOpsKQkU= =l5PG -----END PGP SIGNATURE----- Signed-off-by: is *purely* for sending patches by email. No git Signed-off-by:, sign a tag and then ask you to pull, that's easy enough. git-request-pull.sh | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/git-request-pull.sh b/git-request-pull.sh index fc080cc5e45d..22b51930959f 100755 --- a/git-request-pull.sh +++ b/git-request-pull.sh @@ -20,11 +20,14 @@ GIT_PAGER= export GIT_PAGER patch= +sign= while case "$#" in 0) break ;; esac do case "$1" in -p) patch=-p ;; + -s) + sign=-s ;; --) shift; break ;; -*) @@ -73,6 +76,12 @@ are available in the git repository at:' $baserev && echo " $url $branch" && echo && +if test -n "$sign" +then + printf "Commit $headrev\nfrom $url\n" | gpg --clearsign + echo +fi && + git shortlog ^$baserev $headrev && git diff -M --stat --summary $patch $merge_base..$headrev || exit exit $status