I have very, very bad news for the "if it's good enough for Debian it's good enough for X" OpenPGP apologist argument.
wiki.debian.org/Teams/Apt/Spec
10
86
256
Conversation
Git's signed commit / tag support is problematic even without PGP because it uses signatures hard-wired into the objects. It has no way to add additional signatures after the fact which is a huge problem.
Even if you're using PGP, it's better to use Git notes than their system.
1
5
It should be possible to rotate keys and provide new signatures replacing the old ones made with the key that's being retired.
Git notes mean you can just not fetch all the legacy signatures, etc. It's pretty gross having PGP bloat hard-wired into each commit / tag object...
1
1
It's particularly bad with commits, because at least you could create new tags with a suffix / prefix indicating that they're made with the new signing key.
For commits... all future commits have a hash incorporating all those hard-wired PGP signatures.
1
1
I think it would be a lot better to just come up with a good standard and tooling for using Git notes to attach signatures to objects.
Much better to sign a generated archive when possible for reduced attack surface vs. verifying huge trees of SHA-1 commit/tree/blob hashes.
1
2
Git doesn't even verify the object graph integrity or that objects are well formed by default. You need to use the git fsck tool. Can enable it:
git config --global transfer.fsckObjects true
fetch.fsckObjects and receive.fsckObjects default to the value of transfer.fsckObjects.
1
2
Certain popular projects have invalid objects in their history so this will break cloning them, etc. Not having it enabled by default means people don't notice and it's not like they'll rebase their history to fix it.
Ton of attack surface via Git's object system, packs, etc.