Am Mon, Dec 01, 2025 at 01:42:24PM +0100 schrieb Rostislav Svoboda: > > signing process [...] guarantees [...] "these are the official commits > > [...]" [...] it helps against rogue clones [...] claiming to be the real. > Two histories already differ by their commit hashes - regardless of > signatures. Git's content hashing already detects rogue or modified > histories without authentication.
Modified histories, yes, but modified futures, no. If someone copies Guix to guix.theirhoster.com and continues committing there, pretending to be the real Guix, this is not prevented by git. The additional signatures by Guix committers differentiate the two. Or otherwise said, cryptographic signatures can authenticate one of two potential histories. It is really in the word "authentic"; git only ensures consistency of potentially parallel histories. > > And it helps against downgrade attacks, since the signatures authenticate > > the order of commits. > In Git, a commit can only have the same hash if both its content and > its parent(s) match. That means the commit order is already > cryptographically enforced Indeed, this argument does not hold, git already ensures that one only goes forward (in potentially different directions from the original project). Andreas
