From: Lorenz Leutgeb <lorenz.leutgeb@posteo•eu>
To: Junio C Hamano <gitster@pobox•com>
Cc: git@vger•kernel.org
Subject: Re: Push Certificates: Privacy Concerns Regarding the "pushee" Header
Date: Wed, 18 Feb 2026 09:56:39 +0000 [thread overview]
Message-ID: <abfb7c91-3065-4569-a080-ab0e0c259a12@posteo.eu> (raw)
In-Reply-To: <xmqqo6lm8ubv.fsf@gitster.g>
So, imagine a world where push certificates are more "end-to-end".
Think transparency log meets Git (see https://transparency.dev/ for more
context). Not only `git push --signed`, but also `git pull --signed`
exists. The remote being fetched from must provide evidence for the
puller verify the range being pulled, e.g. 0000000..ccae4e0. It does so
by sending along the blob that contains the corresponding push
certificates[^1].
In this bright future, where any puller is an auditor, you would run
into an issue if you want your repository to be pulled from different
places (pullees? fetchees?). However, there is a way out: Let the
pusher specify with which locations they are happy to have their push
end up at. In your case, since you are happy for others to pull from
https://github.com/gitster/git, you add to your push certificate:
certificate version 0.1
pusher SHA256:xX6bp…T0 1771188983 +0100
pushee https://example.com/repo.git
pushee git@github•com:gitster/git.git
nonce 1771188983-345389c
0000000 ccae4e0 refs/heads/main
I will also give you the counter arguments: Firstly, with repositories
that have many mirrors, the number of headers might become
problematically large. One remedy would be to allow configuration of
aliases on the side of the puller/verifier. One could accept all values
of `remote.<name>.url` as valid. One could introduce
`remote.<name>.alias`. Secondly, for repositories with exactly one
canonical location, no configuration would be necessary and the value
being used today would be correct.
---
[1]: In general, it would have to send multiple push certificates.
Firstly because there might be multiple refs being pulled over multiple
ranges. Secondly because that range might have been established over
multiple pushes.
prev parent reply other threads:[~2026-02-18 9:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-15 21:58 Push Certificates: Privacy Concerns Regarding the "pushee" Header Lorenz Leutgeb
2026-02-17 19:42 ` Junio C Hamano
2026-02-17 20:31 ` Lorenz Leutgeb
2026-02-18 6:00 ` Junio C Hamano
2026-02-18 9:56 ` Lorenz Leutgeb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abfb7c91-3065-4569-a080-ab0e0c259a12@posteo.eu \
--to=lorenz.leutgeb@posteo$(echo .)eu \
--cc=git@vger$(echo .)kernel.org \
--cc=gitster@pobox$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox