Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118879
Return-Path: <pnacht@google.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96636 invoked from network); 24 Oct 2022 17:05:56 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Oct 2022 17:05:56 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 21E581804BA
	for <internals@lists.php.net>; Mon, 24 Oct 2022 10:05:55 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
	ENV_AND_HDR_SPF_MATCH,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <pnacht@google.com>
Received: from mail-qt1-f178.google.com (mail-qt1-f178.google.com [209.85.160.178])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 24 Oct 2022 10:05:54 -0700 (PDT)
Received: by mail-qt1-f178.google.com with SMTP id w3so5972830qtv.9
        for <internals@lists.php.net>; Mon, 24 Oct 2022 10:05:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=lpw87Styx+IHy1hXpPL2Rq3R4Qjlo60TWE9DG9D7eEE=;
        b=g5jbCzqkLaX1pF5gs8c4rr3n3tl1nYPGSEHhXx30/W/81TvbNB1z5i0s1ZQxjW6BoF
         oq0lWLkxtBzPhRdRdYid6DLYX8Sy7gLR27EeXz5drzyReqPjYTG7GaiRXPXvZ5o5wZTD
         4SDBv71q2hPEvdyX69746aH56x2EekLFLhgowsyreXHHpg1fJR4g7GQdncJEYijRB9kX
         avX8F3VZiSL4hNGZMH3c2HvLB+gn1HHwBHMojONXPgsRR6WdqqCw8xkr5wIZN0epxT4M
         n5BIznwUPoZkpcOFMAX0ogsh0WBpXmSWnJg6QDnP3C2jAi/kKNmw2eXG9QQzXA8JB+0a
         hlkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lpw87Styx+IHy1hXpPL2Rq3R4Qjlo60TWE9DG9D7eEE=;
        b=RM12isQc9L/Z8v3g9PuAa9Up3BfhFuqABxA0nMa/CPLLSQNY8RyYcNcuXKIgmkEEtB
         +kZ2u6pWE+oYqY6SDb/u5GK27afsPFp5jPkGa+cX6nWQ4DLpcmGnH817kyRQcVaNiNBT
         FLDeX2pCgC1hKrtz1W50ZEcfgiwqzAcOeEhbtyj7Lc/rqgzuBnrIYJ73iQH6nQJoBQE8
         XejYNzk6c/WXhc9pOc72FjPJKXUqiD1QssyYR7F2HG8AG8E2QKAqtKbqujJu6m3zGKGy
         PzQsjVi3rzHJYWtzgBO1/oLfnxXwNvCpS4Ucqxe/8FnpK8Sc/FO1urCHJfoeN12SqzKF
         bwXQ==
X-Gm-Message-State: ACrzQf2GmjiGfJvYJjxPnt4YGZo3UHeU4EAHf9inPgxjP+LpKH75udmy
	Ea3a4ylYCk3RJ1+ZNtxDZzEyiOW1xw1sW/Y7i3quJVka/SXdlA==
X-Google-Smtp-Source: AMsMyM5RV/lNmgKrx/efFYbehTB9+Vg/t9Ow/rlgbTFb0G7dxUCdgvvEJUd/eeQwvCxYAwzJn7fI/gmdA+bA6xUVQUA=
X-Received: by 2002:a05:622a:410:b0:39d:8ed:33e with SMTP id
 n16-20020a05622a041000b0039d08ed033emr21529441qtx.43.1666631153568; Mon, 24
 Oct 2022 10:05:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAFWHjfpriiBX1Xg34F95zXsgwKQeh1-AwActDws5wuRL83pHhQ@mail.gmail.com>
 <CAMrTa2E5VHJGANm0u3Nrs9a9DeoJspE7JAg0902TzDi1Pq4iiA@mail.gmail.com>
In-Reply-To: <CAMrTa2E5VHJGANm0u3Nrs9a9DeoJspE7JAg0902TzDi1Pq4iiA@mail.gmail.com>
Reply-To: Pedro Nacht <pnacht@google.com>
Date: Mon, 24 Oct 2022 14:05:37 -0300
Message-ID: <CAFWHjfr0gFxzqRX12N7u5pWfNkafDeW8Y81d8E==5ibg2_=MiQ@mail.gmail.com>
To: Jordan LeDoux <jordan.ledoux@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000e1bc2d05ebcacdae"
Subject: Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action
From: internals@lists.php.net ("Pedro Nacht via internals")

--000000000000e1bc2d05ebcacdae
Content-Type: text/plain; charset="UTF-8"

Hey Jordan,

The tool is only meant to be informative regarding the project's
supply-chain security posture and gives actionable suggestions on how it
can be improved. However, it doesn't create issues, bug maintainers and
volunteers with notifications/emails, or make any assumptions regarding
maintainer/volunteer responsiveness. Maintainers decide when they wish to
check the GitHub Security Dashboard to check the project's security posture.

What actionable benefit could this provide the project?
>

Some of the suggestions it gives for PHP are:

   - add a security policy to the repo where security vulnerabilities can
   be reported privately (the file could simply point users to the
   instructions at https://wiki.php.net/security, for example).
   - set GitHub workflow dependencies to adopt hash-pinning instead of
   major-version pinning. This is to eliminate the risk of tag-hijacking
   attacks where a malicious commit is published to an Action you rely on and
   the tag is then recreated to point to that malicious commit. Dependabot or
   Renovatebot (which the tool also recommends adding to the project) can then
   be used to keep your dependencies up-to-date.
   - set all GitHub workflows with top-level read-only permissions. It
   recognizes that almost all PHP's workflows have top-level read-only
   permissions, but points out that github/workflows/labeler.yml doesn't
   (though it does have job-level contents read-only permissions).
   - and yes, enforce Code-Review and maximal Branch-Protection. I
   understand this would be quite impactful on the project's current workflow,
   but it's the sort of thing that would mitigate the sort of
   attack @ricardoboss mentioned in the linked GH issue. Whether the costs are
   worth the benefit is a question you are all certainly better equipped to
   determine than me.

Some of these tips are one-offs: for example, once you have a security
policy, there's likely nothing else to do in that regard.

However, others offer more continuous monitoring in case there's an
accidental slip-up: if any new workflows are added to the project in the
future without minimal permissions or without pinning dependencies, for
example, the Action will update the Security Dashboard with an alert.

I'd be happy to submit a few PRs to implement the changes I can.

What would forcing maintainers to go through a PR and review process for
> the types of changes that normally get pushed directly to master provide? A
> way for third parties to weigh in? Can't they already do that through the
> mailing list, issues, and PRs?
>

Code review is simply a means of getting an extra pair of eyes on any new
code. Be that to perhaps identify bugs, typos, missed edge-cases or actual
malicious activity as seen last year. It does, however, undoubtedly have
associated costs (crucially, volunteer time). As I stated above, the
cost-benefit analysis is best done by you all who have much more experience
with the project.

Thank you,
Pedro

--000000000000e1bc2d05ebcacdae--