Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122880 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id C568F1A009C for ; Tue, 2 Apr 2024 16:19:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712074768; bh=YRTLv8GIId/7MD9u2z+yW5Tr9dI1nmTX0shU8y0hTk0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=AC2t5svlwFKgq58GH6CVYUdF5M4r8Ue0eE2iVxJDM1hFSJPp8GY9KivruDodcEWPh KJsa1TBkB4RrGcOpw5HlXSCOPAPZ2rdP3EgIOYd+KjjQB/jhdR7Jyi4G6GRvQG6n/Q WXqWHG7yK0nkZFw7WwzlMXrLFnLddfgeXqLEcAvh+0Hn+4l44Dk/sOg9vVFg8NK51D 243Va8h8lOmL0Hyhm7Mnzq/WIhK/7L5rwXa/tg9EaxBR63o6UXMge+m6EZFD708ea0 vHtqajE6L9aFD9DRvOS0K0wPa6ruNqmL7PLrh5f4+HUGPDA940pyDb/aZnXYcwTIjh lNjDZ8E8SdFmA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id BFF6F1805A9 for ; Tue, 2 Apr 2024 16:19:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DMARC_MISSING, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 2 Apr 2024 16:19:24 +0000 (UTC) Received: by mail-ed1-f44.google.com with SMTP id 4fb4d7f45d1cf-56df87057bbso594642a12.3 for ; Tue, 02 Apr 2024 09:18:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712074735; x=1712679535; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AOQ9maZ2jv0PhPUorDmjv5c1E8QcaxTLY8HY8xa+Y7I=; b=JQkF+60kiIxy+5eZ8kXKgICHoN2X2ZLXEMr3Hg2m7KYkWQTx+HQhW4jEwSp/5rNlIE LY3Qyr7cUxXWLKJ+rlHCP56H3ZgbuOkDr5MSOyVEnlS7leDbBOq9MBH37N6Rsjp8aroO AgPw5a0OSdn6mTskkLXKqTpZRZeZtjxk8GmOHmqXqDsQoGdOdfFhJzdsXMflA17Q95Jj fnpY50pU64N2mlOx1JaS9co6XFYPCT6xh14jJSk20Jjhl2qwaYAFchcAxZuFHGD0s89i ySyx4NYlSv3kQyQE50TQxiefcJcvMhjgrqbyyK2UfJ4umPCY0LuCc+GBbvYBNa1tR3lT RH4Q== X-Forwarded-Encrypted: i=1; AJvYcCWXiCg7mJypvrvKbm6UEOrWPsY3Yvnu6P5gvC7uvTpOnN7m9uG0hM1trfTEYCiYi3mGj5slIK9abnbjE7ytJNfaovkEuYliyw== X-Gm-Message-State: AOJu0YyIGXCnFfLVNDVm53BHPvEtaFcr1Fk0t7vuNs3nPUpdSW+y019l V0SWDNNx4ypLXGnZM0NVlH5y/cQtsuD92aMu9cbtC8vurZc6+4z+VsOOHN8lonCRHePyUOHI0Gi EPOp6sQd/ynwny7Sq/0QQETS0ZKMazfApcx6sDQ== X-Google-Smtp-Source: AGHT+IFgk8lUq8Rj6K5yiqujkqTZKP7NPPCivSsiE9OS1hUF9VcfP0oA8yBQFoVPm/ttnb/zipdCCIgtvgfh7/9TpOE= X-Received: by 2002:a05:6402:1914:b0:56d:eef3:3155 with SMTP id e20-20020a056402191400b0056deef33155mr1449880edz.15.1712074734890; Tue, 02 Apr 2024 09:18:54 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: <609B255E-518E-4DAF-B41A-D21A3EBB5B5D@getmailspring.com> In-Reply-To: <609B255E-518E-4DAF-B41A-D21A3EBB5B5D@getmailspring.com> Date: Tue, 2 Apr 2024 16:18:43 +0000 Message-ID: Subject: Re: [PHP-DEV] Requiring GPG Commit Signing To: John Coggeshall Cc: Andreas Heigl , "internals@lists.php.net" Content-Type: multipart/alternative; boundary="00000000000066f9c606151f7610" From: bukka@php.net (Jakub Zelenka) --00000000000066f9c606151f7610 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 2, 2024 at 5:05=E2=80=AFPM John Coggeshall wrote: > > So if we want to make sure that something like XY doesn't happen, we > have to add some additional restrictions to those GPG keys. > > > Looks like all those geeky colleagues of ours back in the day having > key-signing parties at conferences were on to something, maybe.. > > Let's be clear about something -- having GPG key requirements isn't going > to help a situation like XZ. The XZ attack was done by an active maintain= er > of the project (who arguably manipulated the original maintainer of the > project to become a maintainer themselves). It was as much a social > engineering attack as anything. > > Having GPG key requirements is all fine and dandy I suppose, but my > tongue-in-cheek comment above has a real point behind it: GPG keys don't > mean jack if you can't trust who owns the key. Unless we want to start > limiting contributors to people who show up at conferences to do key > signings of their GPG keys, I question exactly what this buys the project > other than an illusion of security and additional complexity? I couldn't > even *really* trust Derick to read me his GPG public key > character-by-character over the phone now days thanks to AI. > > It's not meant to prevent XZ attack. The purpose is really just for the actual contributors to have some assurance that just some random person won't commit anything in their name just by changing the author of the commit. See another thread [1] about prevention of the XZ attack - that basically requires moving the actual build to the CI and have the right process to verify it. [1] https://externals.io/message/122811 Regards Jakub --00000000000066f9c606151f7610 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Apr 2, 2024 at 5:05=E2=80=AFPM Jo= hn Coggeshall <john@coggeshall.or= g> wrote:

So if we want to make= sure that something like XY doesn't happen, we
have to add s= ome additional restrictions to those GPG keys.

Looks like all those geeky colleagues of ours back in the day hav= ing key-signing parties at conferences were on to something, maybe..
=
Let's be clear about something -- having GPG key requirements = isn't going to help a situation like XZ. The XZ attack was done by an a= ctive maintainer of the project (who arguably manipulated the original main= tainer of the project to become a maintainer themselves). It was as much a = social engineering attack as anything.

Having GPG key require= ments is all fine and dandy I suppose, but my tongue-in-cheek comment above= has a real point behind it: GPG keys don't mean jack if you can't = trust who owns the key. Unless we want to start limiting contributors to pe= ople who show up at conferences to do key signings of their GPG keys, I que= stion exactly what this buys the project other than an illusion of security= and additional complexity? I couldn't even really=C2=A0 trust= Derick to read me his GPG public key character-by-character over the phone= now days thanks to AI.


It&= #39;s not meant to prevent XZ attack. The purpose is really just for the ac= tual contributors to have some assurance that just some random person won&#= 39;t commit anything in their name just by changing the author of the commi= t.

See another thread [1] about prevention of the = XZ attack - that basically requires moving the actual build to the CI and h= ave the right process to verify it.


Regards

Jakub
--00000000000066f9c606151f7610--