Comments (8)
couldn't the same complaint be made about github.com/bitcoin/bitcoin or for that matter practically anything on github?
some commits on bitcoin repo are signed, but by no means all. Is there a policy for sign offs in bitcoin repo, or just ad hoc?
Is there anything about python-trezor that makes signatures here even more important than, say, bitcoin repo?
from python-trezor.
The Bitcoin Core maintainers ensure all commits that end up directly in git HEAD are signed (typically merge commits). Theres even a git push hook script to ensure this in the repo under control/ It'd be better if all contributors also signed commits, but ensuring git HEAD is signed is an important first step. Also of course, git tags are always signed.
That other projects don't bother isn't an excuse...
from python-trezor.
bitcoin git:(master) $ git log --show-signature | grep commit -A1 | head -n30 | grep commit | wc -l
10
bitcoin git:(master) $ git log --show-signature | grep commit -A1 | head -n30 | grep gpg | wc -l
7
so only 7 out of 10 last commits signed in master, unless am I missing something?
(update)
"all commits that end up directly in git HEAD"
did you mean git master?
Can you point to the hook script? Perhaps this coud be reused by python-trezor, or others, as best practice?
I'm thinking of cloning this issue for some repos under haskoin, but I want to make sure I understand action to take first.
it looks like the last two tags since v0.9.0rc1 have sigs, that's good.
from python-trezor.
What is the point of signing commits if you haven't verified the fingerprint of my GPG key via phone or meeting me in person?
from python-trezor.
I suppose if the main devs in btc world don't already have a web of trust relationship, maybe this is something that SHOULD be remedied by a phone call. I haven't invested into WOT myself, but it does seem like a healthy thing to do.
a skype video call, with a picture of the keyholder from a trusted source, is a little more spoof proof maybe...
from python-trezor.
@tphyahoo You are missing something: notice how all the merge commits are signed? (mostly by wladimir)
@prusnak For starters, if I ever get a copy of the code that is validly signed by you, even just once, I can use it to verify that i have code from the same person in the future by checking that the key hasn't changed from my old copy. This is also a matter of general post-hack audit capabilities: if github gets hacked we might not notice immediately, but we'd sure like to be able to figure out where the hack happened after the fact.
from python-trezor.
OK, I configured git so now it signs my commits. Let's close this now.
from python-trezor.
Thanks! You're signatures look good here!
from python-trezor.
Related Issues (20)
- Why is the v1 protocol forced for HID devices? HOT 2
- Update Error HOT 1
- ./trezorctl sign-tx non functional for most networks HOT 1
- tx_api.get_tx incompatible with current blockbook
- test sometimes fail with "Unsupported device" HOT 1
- Don't show PIN matrix for Trezor T when changing PIN
- Add a test case for segwit inputs/outputs with very high amounts
- zcash sapling not supported in 0.10.2 HOT 2
- Ethereum transaction fails to generate raw transaction HOT 2
- add monero_get_address to trezorctl HOT 1
- Travis CL seems to be failing 10.x PRs due to Py3.4 requirements HOT 1
- Use ChoiceType for set_passphrase_source HOT 1
- ethereum-sign-tx does not work
- Can't sign Ethereum transaction offline on v0.11.2 HOT 2
- Is there a way to restore seed words in scrambled order? HOT 7
- Trezor passphrase keyboard HOT 1
- wipe-device hangs after confirming on device HOT 3
- trezorlib ethereum.get_address returns None HOT 1
- MINIMUM_FIRMWARE_VERSION issues HOT 2
- python-trezor 0.11.3 released on PyPI but not tagged here HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-trezor.