Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122891 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 399C71A009C for ; Tue, 2 Apr 2024 19:03:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712084610; bh=AoFXiuRgNgjBf6wiXwgY9nGwD5kOJk7ToMYJVd4jOlI=; h=References:In-Reply-To:From:Date:Subject:To:From; b=YdjAKcoZw3c7qFHuPUe6bxdtNsVPstWJxV7ngmgx5Har394Mi/KwRa0acGxf2mTk+ 4pu/gXBp9IzxICBjIkNjWiTw7inIYiPWDpbJRI29gL4XKsi0fviYZLSfPFhvmnGh29 WIeQy4mSpk8FC+Q0FZ6QSnckXoMrlmZUIlGjlInnlT2Zjq4pA/uH5i+gdyHCOOp5WI DUXzc6bPOE0wlmfuPpIYHWMyiF0++wdD8Es4jmMFXPl/53hYXwlzsA5Ki9Ekcde5tD GthjIhJD1PKuzfNCg5tKFfUVxQgHuXAByZaTPk/KkbWYma/po0LVDIxInFfLjC0fxD mmPNO1+zr8eOw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 715C9180985 for ; Tue, 2 Apr 2024 19:03:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 2 Apr 2024 19:03:28 +0000 (UTC) Received: by mail-ot1-f52.google.com with SMTP id 46e09a7af769-6e673ffbd79so3544482a34.2 for ; Tue, 02 Apr 2024 12:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712084580; x=1712689380; darn=lists.php.net; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=AoFXiuRgNgjBf6wiXwgY9nGwD5kOJk7ToMYJVd4jOlI=; b=JMKVJYIX6mcmM0O4q7AoqjYHQ3RDNxJXkIMViXmP4Yf5Jlnb2RPD+9Mi+umtaqAhbX C3KlHGg7rly0VK5DB5rGUSjeS0bxI2s5hYSYOXmjPuKyXv94G1+YUZ1GCAY++7psa40g wq0Zi8qkbJRFjG1gPOrp+qQAOUQWZhYRTcAzbpd9N9bxqzfDiBXw1xu1kXFSKzsLgRvV IsptrfCYSW5a2GAbuvMW33jN/kE36B2uGWJGK6mOZEw5km0QfSD0RF8XsMAgYrlxqK8F s2/n32/MBkJT5XEs1SAC7JmtwWiPv1y7lDRSM5dHt8LBqZ7t+B6RHAJD874IyCVaifwz H2ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712084580; x=1712689380; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AoFXiuRgNgjBf6wiXwgY9nGwD5kOJk7ToMYJVd4jOlI=; b=qC/szgW4tRrPKmzWXo50H0+hXtZKkbm2SiAabRAZZSVRs2QC+YZwQKiPLCKIGEuG8H mTQU80vnCdSUrch69tGWWSUmZJ7UuBV1uCGMLD5SCcx1+NleyYRGlQH1g+DpJ21xtQho mgRK11Oa9EIwEsTo5HQ4aw0G6XxQzUmoNE9AFDNDCpgTrXuM22bNCeOgjEtSY6WY7vrT 5VesWZXFfDrt4Zy5SAemhlmaZvGMzJFylEVIDT29m9/IPQul+k+4Y3wG3cnYlk1WO9Wv DDTe0yVFpQHMCSbldES7V4Z045a5xWvaJR0eEWmOabAn+7BUcRDOCsQTWkNR4RVaE5pd sXhw== X-Gm-Message-State: AOJu0YzB9JmhHbRo/Bjfcuf0Z5CxOBsh7hSGXbXQsnQJrd8sRQfpHdm7 PzUWy/uahKCuc5c9WOJ+3S9DdR35tTllvA81myP3qZoVNjKVuRaq1+MLGWD0B8lql05/FvSBshf rbEwyd784j7hGWgKT5plHykd7fE4DpW/ZryOKBA== X-Google-Smtp-Source: AGHT+IEr5fugXnaPWiV5ok4dr3KThTa/1lZ6v+O7nVpHQhrSC3hUtRSJdnwF06MOZ3w9iuCfYokRYFavx2trvCHvI6g= X-Received: by 2002:a05:6830:20d3:b0:6e6:7e8f:fd4c with SMTP id z19-20020a05683020d300b006e67e8ffd4cmr15614309otq.3.1712084579726; Tue, 02 Apr 2024 12:02:59 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net> <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk> In-Reply-To: <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk> Date: Tue, 2 Apr 2024 21:02:48 +0200 Message-ID: Subject: Re: [PHP-DEV] Requiring GPG Commit Signing To: PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: tovilo.ilija@gmail.com (Ilija Tovilo) Hi Rowan On Tue, Apr 2, 2024 at 8:48=E2=80=AFPM Rowan Tommins [IMSoP] wrote: > > In fact, you don't need to compromise anybody's key: you could socially e= ngineer a situation where you have push access to the repository, or break = the security in some other way. As I understand it, this is exactly what ha= ppened 3 years ago: someone gained direct write access to the git.php.net s= erver, and added commits "authored by" Nikita and others to the history in = the repository. Right, but I would like to believe that attaining push access _without gaining access to a maintainers account_ should be substantially harder on GitHub than our self-hosted git server. :) > If all commits are signed, a compromised key or account can only be used = to sign commits with that specific identity: your GitHub account can't be u= sed to sign commits as Derick or Nikita, only as you. The impact is limited= to one identity, not the integrity of the entire repository. But, does it matter? I'm not sure we look at some commits closer than others, based on its author. It's true that it might be easier to identify malicious commits if they all come from the same user, but it wouldn't prevent them. To be clear: I'm not against commit signing, I've been doing it for years. I'm just unsure if it's a sufficient solution (apart from releases, which are a whole different can of worms). Ilija