Hi Rowan On Tue, Apr 2, 2024 at 8:48 PM Rowan Tommins [IMSoP] <imsop....@rwec.co.uk> wrote: > > In fact, you don't need to compromise anybody's key: you could socially > engineer a situation where you have push access to the repository, or break > the security in some other way. As I understand it, this is exactly what > happened 3 years ago: someone gained direct write access to the git.php.net > server, and added commits "authored by" Nikita and others to the history in > the repository.
Right, but I would like to believe that attaining push access _without gaining access to a maintainers account_ should be substantially harder on GitHub than our self-hosted git server. :) > If all commits are signed, a compromised key or account can only be used to > sign commits with that specific identity: your GitHub account can't be used > to sign commits as Derick or Nikita, only as you. The impact is limited to > one identity, not the integrity of the entire repository. But, does it matter? I'm not sure we look at some commits closer than others, based on its author. It's true that it might be easier to identify malicious commits if they all come from the same user, but it wouldn't prevent them. To be clear: I'm not against commit signing, I've been doing it for years. I'm just unsure if it's a sufficient solution (apart from releases, which are a whole different can of worms). Ilija
