Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122878
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 8D50B1A009F
	for <internals@lists.php.net>; Tue,  2 Apr 2024 15:59:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712073619; bh=SoaUqsUh47LGSo/YoCOotjjsBfgcMlcQ+NSseRj29TE=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=ILIr8qoDI7VFlV56quKyoYArMFlJhYIOhHX9jDFmw8SgeIrC6ekHJgudDwMC+ed7F
	 nm+V/0JunQLW/+/Yl46XDyJTUVDJkTbxdRtY4yiZSUnRNrgU0kbFFXBn19+aW4R+4K
	 01MUmUyY9NRcxJeizVV7A3M1xIM5smV64lq97UhX+VbLY0W4EHbwE+cMc/xyfotTrK
	 i/T7PJCdZqycZrrQEZaqXVCZauDI7PvCW9+jlTyDLVYjrinv/gNAeQp8YA8By70Wes
	 ppPl4xZS6Q47dyPF27w4zS//GP1GApkp9DptWgil0LarEU75XBCVOo4m7qCj3J0i0z
	 BxLng1gjnNC8A==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 23AED180679
	for <internals@lists.php.net>; Tue,  2 Apr 2024 16:00:17 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <john@coggenterprises.com>
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com [209.85.210.42])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 16:00:15 +0000 (UTC)
Received: by mail-ot1-f42.google.com with SMTP id 46e09a7af769-6ddca59e336so670a34.0
        for <internals@lists.php.net>; Tue, 02 Apr 2024 08:59:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coggenterprises-com.20230601.gappssmtp.com; s=20230601; t=1712073586; x=1712678386; darn=lists.php.net;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=SoaUqsUh47LGSo/YoCOotjjsBfgcMlcQ+NSseRj29TE=;
        b=KLvdOKITFyJuD1BlONZ8GA7WSyN6v44z1d9ZbfIQBw8FqocUzmtJgncfbbHmPU6EOd
         bKlkkPwmiS2S3gCnPvRFr/ZcM/vB3OlDRAoCD064908OTqCTxqZ3JS03lJzn1mqeKMLw
         o1OnsNoc3408OA6sF5uBfUR40HuAGimuJmb4vWefj5SW1SwpKYfkbzdCFmNxm30Kiqf+
         s9NW39DdIk8oYoXRfNvIcGi3E5ItP3fWEq4z7M1U1A4bGeNFOSWhPPGAFJH/17ex4ZFC
         xVxrcLGuwtfwf+Revr55oP73wfoh6yGy6UnFP1hc7VjrV3VstpMgjcyfrt1VdpV0vfRU
         5+Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712073586; x=1712678386;
        h=mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=SoaUqsUh47LGSo/YoCOotjjsBfgcMlcQ+NSseRj29TE=;
        b=QNJtgBfrOXm/RWztJJGjLKIy1bfnWWAg17QCL7ZY22tO/ZS9SdWz/dhAKflnDoqFeR
         hGSiQ0R7uVCRpD0MrMoAsmW3kgHD9BS4U2QWQz9UXU7jCmUoeOCOz7fG6aOrmTMCoVjb
         jg4Wk3rbJt6HQjlt2T/5JGfxBRqczU41X9Luo2gRvfV46fAnQF4ObGwZMX+q4iaL4Yct
         EY8Vx8LMc0uvNLOXyv/bf+3KTxlyBmWpuxuAHSV5MxxvYC7nk10YBlCv+pvWQs0epjdv
         mch45WnZ7iKcuX4eg5x6ynQUoGRRyIE9Hmr6N3Uu9TR8jjq5dKbkwcjsM9f/ZvWdp7VB
         nasA==
X-Gm-Message-State: AOJu0YxKvck0FN1E/nXqa6tRMNFUB8E3GeuRT3WOdjY1nvmIzoLjooiH
	DgMG8uDHNVAV8jsRjh85HTJMKR49/X+2Z5RxmbN6Q3dCsHWmbKwuIxbZ+Ycn0vEWKA49jvHaF9M
	O
X-Google-Smtp-Source: AGHT+IFB+16Jaj+Di10Dkr0p1GvLkizkHsRfwYd610xccNQEK4mBWGYkMaxDifkrkyd6SGt1vouwaw==
X-Received: by 2002:a9d:7acb:0:b0:6e7:47:29d2 with SMTP id m11-20020a9d7acb000000b006e7004729d2mr4545649otn.19.1712073586324;
        Tue, 02 Apr 2024 08:59:46 -0700 (PDT)
Received: from Johns-MacBook-Pro-2.local ([98.97.86.113])
        by smtp.gmail.com with ESMTPSA id t3-20020a9d7483000000b006e6ae032f5bsm2317752otk.7.2024.04.02.08.59.45
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 02 Apr 2024 08:59:45 -0700 (PDT)
Date: Tue, 2 Apr 2024 10:59:44 -0500
To: Andreas Heigl <andreas@heigl.org>
Cc: "=?utf-8?Q?internals=40lists.php.net?=" <internals@lists.php.net>
Message-ID: <609B255E-518E-4DAF-B41A-D21A3EBB5B5D@getmailspring.com>
In-Reply-To: <eed6980c-a685-4d31-a354-f8af426137c1@heigl.org>
References: <eed6980c-a685-4d31-a354-f8af426137c1@heigl.org>
Subject: Re: [PHP-DEV] Requiring GPG Commit Signing
X-Mailer: Mailspring
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="660c2b70_6b8b4567_c0b9"
From: john@coggeshall.org (John Coggeshall)

--660c2b70_6b8b4567_c0b9
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


> So if we want to make sure that something like XY doesn't happen, we
> have to add some additional restrictions to those GPG keys.
>

Looks like all those geeky colleagues of ours back in the day having key-signing parties at conferences were on to something, maybe..
Let's be clear about something -- having GPG key requirements isn't going to help a situation like XZ. The XZ attack was done by an active maintainer of the project (who arguably manipulated the original maintainer of the project to become a maintainer themselves). It was as much a social engineering attack as anything.
Having GPG key requirements is all fine and dandy I suppose, but my tongue-in-cheek comment above has a real point behind it: GPG keys don't mean jack if you can't trust who owns the key. Unless we want to start limiting contributors to people who show up at conferences to do key signings of their GPG keys, I question exactly what this buys the project other than an illusion of security and additional complexity? I couldn't even really trust Derick to read me his GPG public key character-by-character over the phone now days thanks to AI.
Just Sayin'
John
--660c2b70_6b8b4567_c0b9
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br><blockquote><div><div>So if we want to make sure that something like =
XY doesn't happen, we</div><div>have to add some additional restrictions =
to those GPG keys.</div></div></blockquote><div><br><div>Looks like all t=
hose geeky colleagues of ours back in the day having key-signing parties =
at conferences were on to something, maybe.. </div><br><div>Let's be clea=
r about something -- having GPG key requirements isn't going to help a si=
tuation like XZ. The XZ attack was done by an active maintainer of the pr=
oject (who arguably manipulated the original maintainer of the project to=
 become a maintainer themselves). It was as much a social engineering att=
ack as anything.</div><br><div>Having GPG key requirements is all fine an=
d dandy I suppose, but my tongue-in-cheek comment above has a real point =
behind it: GPG keys don't mean jack if you can't trust who owns the key. =
Unless we want to start limiting contributors to people who show up at co=
nferences to do key signings of their GPG keys, I question exactly what t=
his buys the project other than an illusion of security and additional co=
mplexity=3F I couldn't even <em>really</em>&nbsp; trust Derick to read me=
 his GPG public key character-by-character over the phone now days thanks=
 to AI.</div><br><div>Just Sayin'</div><br><div>John</div></div>
--660c2b70_6b8b4567_c0b9--