On Tue, Apr 2, 2024, at 21:40, Rowan Tommins [IMSoP] wrote: > On 02/04/2024 20:02, Ilija Tovilo wrote: >> But, does it matter? I'm not sure we look at some commits closer than >> others, based on its author. It's true that it might be easier to >> identify malicious commits if they all come from the same user, but it >> wouldn't prevent them. > > > It's like the difference between stealing someone's credit card, and cloning > the card of everyone who comes into the shop: in the first case, someone > needs to check their credit card statements carefully; in the second, you'll > have a hard job even working out who to contact. > > Similarly, if you discover a compromised key or signing account, you can look > for uses of that key or account, which might be a tiny number from a non-core > contributor; if you discover a compromised account pushing unsigned commits, > you have to audit every commit in the repository. > > I agree it's not a complete solution, but no security measure is; it's always > about reducing the attack surface or limiting the damage. > > Regards, > > -- > Rowan Tommins > [IMSoP]
FWIW, I store my signing and ssh keys on yubikeys. Even then, when I managed to lose one several years ago, revoking the certificate on GitHub was relatively straightforward. Further, it marked every commit made by that key (ever) as unverified. So, in the very least, if a key were to be compromised, any open PRs would need to be resigned by the author to get them back in good standing; if verified commits are required. This, of course, makes GitHub the "single point of failure." If someone were to gain access to my GH (even on an unattended laptop), they could add their own keys, and on another computer; log in with another account, and then push commits with my email address and their gpg key. GitHub would show them as verified (IIRC) and from me. This is by design, since "in theory," I could have pushed my commits to a coworker's git repo, who then pushed it to GH. Terrifying stuff... but it is even more terrifying than not having signed commits at all, since literally anyone can push a commit with anyone's name on it and nobody would even know it was a counterfeit. So, at least requiring signed commits makes the bar that much higher to counterfeit/hide malicious commits. If this stuff terrifies you too, I recommend turning on vigilant mode: https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits — Rob