|
|
Boost : |
Subject: Re: [boost] Boost 1.61.0 has been released
From: Niall Douglas (s_sourceforge_at_[hidden])
Date: 2016-05-15 06:29:35
On 14 May 2016 at 9:57, Tom Kent wrote:
> Ideally we could cryptographically sign the tags going into git as well,
> but I have even less experience doing/checking that.
You might as well sign every commit just as easily. Historically that
introduced a lot of bloat (2Kb-4Kb per commit of signing due to the
RSA key size), but in the AFIO v2 github repo I've been experimenting
with the very new Ed25519 elliptic curves for signing. These add only
dozens of bytes to each commit, and github correctly understands them
as you can see by the purdy green "Verified" tag per commit at:
https://github.com/ned14/boost.afio/commits/master
Your big problem is going to be configuring the tooling for git
signing on Windows - you need exactly the right combination of recent
or beta versions of git, tortoisegit and gpg4win.
I'd personally speaking recommend Boost leave off commit signing for
at least another release or two until the tooling required for
ed25519 curves comes out of beta, especially on Windows.
I'd strongly recommend *against* using RSA keys for commit signing.
The bloat introduced isn't worth the gain.
The remaining question is whether signing tags is worth it. I
personally don't think so, it's creates a false sense of security
unless all committers are signing their commits. Better to SHA the
zip archive as Rene already does.
Niall
-- ned Productions Limited Consulting http://www.nedproductions.biz/ http://ie.linkedin.com/in/nialldouglas/
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk