Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122894
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 5C7291A009C
	for <internals@lists.php.net>; Tue,  2 Apr 2024 20:03:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712088216; bh=SX6yErJOV7p8LoLj1qN/Fqi7L1ntgwtqQClIdPzJXUI=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=hOzkmOmX/7TDG6SuHSA6k0bIx+n0z5tLFBgxMdm/G28f/xm5fV1i4h7PBKHw8wVJN
	 W4VjwePPy1bgg0iRxGxi6wio1AjrpKexrO3roCcsUjdUYr2GD28PhgNpUfQynMOMBl
	 akGRs+l65BbbvdasVp+lbjq3mvcHm4apyMMTvLzQkgAbx7aIWVLTsUv4vVrxgCkRdJ
	 AOHDcCqvcazwbhOTH0qT3Nv16OSlIKHhzyISSizBWqsr0z80XmwO2hsMz7KITC99SE
	 cRJVTkPliHEp2XrAMsNfAU6M/iVrM6lZzLh48x/7r6jGY2ueNOJ9frtsGFQNcAeQAC
	 wwNsotzGundyA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A4DC7180798
	for <internals@lists.php.net>; Tue,  2 Apr 2024 20:03:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DMARC_MISSING,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 20:03:35 +0000 (UTC)
Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-56dfba6ae21so508965a12.1
        for <internals@lists.php.net>; Tue, 02 Apr 2024 13:03:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712088186; x=1712692986;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=zWcfQzRDEFRKgi09gEw/VUZxa5SoTcnsj6t/mY1Xz0I=;
        b=jmtGX3yzn/NeeUggJhM3eYC3WeAeMK3ieW73d88PQAaN5uQAUSBKAFFuKQFexs/rPP
         pNt6IgbeyZlu/Hl4boYEd7zO6C3mb/yec+lbDh52eNLoyWSneQDzJGZdkWJn8dseDV1X
         c8VN9+kbvJ4Z49Ev+X6MtgwEyMn1N3YftcQiUHc2u7/Hu22atVnZAvtIMPdovOXDMhuL
         sbnj1NGbD8kfDGGpE+d6rtxdtf5lof5aFGpefWorX56moSpNfIsqxlOa1UbGmQPw7WMg
         adVHbGK/SAMd0UAFD4Z8SkO9ozTBfSW1hpo4h81Dqk/B41eC0yOPKTEfEkgLD0LSRXHL
         mDKw==
X-Gm-Message-State: AOJu0YzduJa4B0+unPGumVlRj5Q9j/UJr7kwmPxHSyGZ/xiw8pyjNq8c
	gpTp9ID0jOywPc0kTNyCVt/TdnaNLWRK0PI5ht/kGrcRqWu+UkibSoSi9updLeIzKHFMbdzrgir
	yvbRwzEjjP6maKY3EuQh0Q8GnB37Vl1oj45FS/w==
X-Google-Smtp-Source: AGHT+IH26wrjmL1zDnhjAYpp42YAsV7TUIByg+SiAU7jIisFdohh//X/UmUwzri9vL7KMkzkK/Q2CEQEyOahN9qI8jY=
X-Received: by 2002:a05:6402:3506:b0:56b:cecb:a4c8 with SMTP id
 b6-20020a056402350600b0056bcecba4c8mr13519089edd.39.1712088185729; Tue, 02
 Apr 2024 13:03:05 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net> <CAPyj-LC9Ygr0vNB3RyTKmmYmq1VbNgzDS_J3bq6NaoXD1YaMhQ@mail.gmail.com>
 <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk> <CAPyj-LDh7K=cGcxX1qpY7=SYGOdOo0y-QAQjorhRoeqO2ni96A@mail.gmail.com>
 <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk>
In-Reply-To: <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk>
Date: Tue, 2 Apr 2024 20:02:54 +0000
Message-ID: <CAEKnhAFxHm_QZpWK_FSxBa-+F-G-J4BOiv+0F_3_y6azJTiaVg@mail.gmail.com>
Subject: Re: [PHP-DEV] Requiring GPG Commit Signing
To: "Rowan Tommins [IMSoP]" <imsop.php@rwec.co.uk>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000227b520615229818"
From: bukka@php.net (Jakub Zelenka)

--000000000000227b520615229818
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 2, 2024 at 8:45=E2=80=AFPM Rowan Tommins [IMSoP] <imsop.php@rwe=
c.co.uk>
wrote:

> On 02/04/2024 20:02, Ilija Tovilo wrote:
>
> But, does it matter? I'm not sure we look at some commits closer than
> others, based on its author. It's true that it might be easier to
> identify malicious commits if they all come from the same user, but it
> wouldn't prevent them.
>
>
> It's like the difference between stealing someone's credit card, and
> cloning the card of everyone who comes into the shop: in the first case,
> someone needs to check their credit card statements carefully; in the
> second, you'll have a hard job even working out who to contact.
>
> Similarly, if you discover a compromised key or signing account, you can
> look for uses of that key or account, which might be a tiny number from a
> non-core contributor; if you discover a compromised account pushing
> unsigned commits, you have to audit every commit in the repository.
>
> I agree it's not a complete solution, but no security measure is; it's
> always about reducing the attack surface or limiting the damage.
>

Nice comparison. Fully agree with that. I would add that potentially even
more important point than auditability is possibility to revoke access of
the compromised account as otherwise you can't easily identify such account
and prevent further issues.

Regards

Jakub

--000000000000227b520615229818
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Apr 2, 2024 at 8:45=E2=80=AFPM Ro=
wan Tommins [IMSoP] &lt;<a href=3D"mailto:imsop.php@rwec.co.uk">imsop.php@r=
wec.co.uk</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex"><u></u>

 =20
   =20
 =20
  <div>
    <div>On 02/04/2024 20:02, Ilija Tovilo
      wrote:<br>
    </div>
    <blockquote type=3D"cite">
      <pre>But, does it matter? I&#39;m not sure we look at some commits cl=
oser than
others, based on its author. It&#39;s true that it might be easier to
identify malicious commits if they all come from the same user, but it
wouldn&#39;t prevent them.</pre>
    </blockquote>
    <p><br>
    </p>
    <p>It&#39;s like the difference between stealing someone&#39;s credit c=
ard,
      and cloning the card of everyone who comes into the shop: in the
      first case, someone needs to check their credit card statements
      carefully; in the second, you&#39;ll have a hard job even working out
      who to contact.</p>
    <p>Similarly, if you discover a compromised key or signing account,
      you can look for uses of that key or account, which might be a
      tiny number from a non-core contributor; if you discover a
      compromised account pushing unsigned commits, you have to audit
      every commit in the repository.</p>
    <p>I agree it&#39;s not a complete solution, but no security measure is=
;
      it&#39;s always about reducing the attack surface or limiting the
      damage.</p></div></blockquote><div><br></div><div>Nice comparison. Fu=
lly agree with that. I would add that potentially even more important point=
 than auditability is possibility to revoke access of the compromised accou=
nt as otherwise you can&#39;t easily identify such account and prevent furt=
her issues.</div><div><br></div><div>Regards</div><div><br></div><div>Jakub=
</div><div>=C2=A0</div></div></div>

--000000000000227b520615229818--