Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122899
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 6C3331A009D
	for <internals@lists.php.net>; Tue,  2 Apr 2024 22:06:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712095599; bh=Cvd0mCs3v6PK3NvTaE9JQIfSqPbE7sbblRf7J2O95jk=;
	h=References:In-Reply-To:From:Date:Subject:To:From;
	b=EXmLrpwQNPIs0TK1o61/nXUDX+rKcZzwsZ+cOk/q3GSASLjLAOEzy+dPLdMDMTv7r
	 0/f88GmbMYQeOrUZI1j91+YyTPv580Yo3siDAoZhmACZcpGQttUf4Txp3xCSAi9Vj0
	 8rWtv79l46IbrUuCpuKSCmZPW6RrtOBBKC2G2LbAohA4qYXG5Noo5igI5b3J5J925C
	 UKYoV79OIZlvaKt9V+2XTmXOoUqXyFi8stNPkth9/bRXpx0NKs9ZOW7fMxkq05pNZv
	 iwPb/lE4jOFTMmP0ncYR2DoCLFNwKzx4vXQN53e55cNJ3l43Mw7ZLNCJSdzboO/umk
	 1uCNvs/7xLK/Q==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 97DEB1805DC
	for <internals@lists.php.net>; Tue,  2 Apr 2024 22:06:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tovilo.ilija@gmail.com>
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 22:06:32 +0000 (UTC)
Received: by mail-oi1-f173.google.com with SMTP id 5614622812f47-3c3d3710018so3899506b6e.0
        for <internals@lists.php.net>; Tue, 02 Apr 2024 15:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712095563; x=1712700363; darn=lists.php.net;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Cvd0mCs3v6PK3NvTaE9JQIfSqPbE7sbblRf7J2O95jk=;
        b=VOgoSDrivmlKSoxJKj3dwtearmhQ7A9hcgk2bnvQ6GJ771xC6lHLA9yQkmlg9+7DC0
         q6LzND3B2n56Hg3B9nbkNP2/g62u6d567+6c7qLVigLfWy+qJfzhrDS+143RCJTZZRcb
         mIp+exZq5kFfUmmTejkV7UsQHLXs+XAbBTjEn7zBl56elYw3EKjVHv1szcDSY0mCkUIH
         EEdFfB78gRkC1MYGJDydBD2DQkOgk/F57eM58FGeydLh1xHqUZY+FMy0APEBN7gDiIsD
         hzUqKl0ePU8lOLbTkBz+NGy4e15nMP1ewNvD6SL3pIl69xgsDqV3tj12IJDgC44nUJbQ
         uW8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712095563; x=1712700363;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Cvd0mCs3v6PK3NvTaE9JQIfSqPbE7sbblRf7J2O95jk=;
        b=hh5TDHnZq0oC80mL3d2iGLHveLhPlzZhLsBqwqu6ySaoat8hZeuAEyya5f7F5lPpUH
         5Pv9gF3lJuN4eaM7I8AqXxI7kY6pBYX2fvAwc6RPxYsIgTcmeEBS9E/LTzBM1OYzRS3g
         5R/nPzKh4DetdupyGPog6ij0WWfNvBvwKx0fs0qvLvxo1zmxKVMLdFI29AInn2jNakac
         jOYuujmz5GJ5sL/LIhD+JodIJbI4dU+so2nxzQEATAuJXl3VMoTMV/QjklyX1SIohabq
         1QtRY2c4FUtqnhleyd0pVxDIxKBkfuTLBsowsqWeqRODikMZJh+OTNH3YFIYnAR4v/PU
         G+CQ==
X-Gm-Message-State: AOJu0YxPjehFwyr9Wlu/5luSJUDkZQtp90CLC5SN2fOwMIQb9s2XrDwx
	3cdGQIUiXqZe9MZwATSPPmtFEHEt/pkWnT6tF+yKpqSDlUdI0Z07HNaYZXNXpbu+MTuxLBYAe6K
	vOhTIGhTwHDhrejQlTIHK0uY4EL/glzXYspROQl79
X-Google-Smtp-Source: AGHT+IEqf6aOEDNJqzCxfQz2Tngkigozh/Fewi2wM2kN0F6eIXqJtUdRMw1gZo/r71INSQGBOxfiOjjnHhyIHlfQ+Kc=
X-Received: by 2002:a05:6808:1446:b0:3c4:ea03:81b with SMTP id
 x6-20020a056808144600b003c4ea03081bmr997425oiv.2.1712095561914; Tue, 02 Apr
 2024 15:06:01 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net> <CAPyj-LC9Ygr0vNB3RyTKmmYmq1VbNgzDS_J3bq6NaoXD1YaMhQ@mail.gmail.com>
 <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk> <CAPyj-LDh7K=cGcxX1qpY7=SYGOdOo0y-QAQjorhRoeqO2ni96A@mail.gmail.com>
 <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk>
In-Reply-To: <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk>
Date: Wed, 3 Apr 2024 00:05:50 +0200
Message-ID: <CAPyj-LDyD_UC75bMeT4hR04tKYC=XAMJ3fu3BDgsYybmkZ+gZA@mail.gmail.com>
Subject: Re: [PHP-DEV] Requiring GPG Commit Signing
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
From: tovilo.ilija@gmail.com (Ilija Tovilo)

On Tue, Apr 2, 2024 at 9:43=E2=80=AFPM Rowan Tommins [IMSoP]
<imsop.php@rwec.co.uk> wrote:
>
> Similarly, if you discover a compromised key or signing account, you can =
look for uses of that key or account, which might be a tiny number from a n=
on-core contributor; if you discover a compromised account pushing unsigned=
 commits, you have to audit every commit in the repository.

Right, that and what Jakub mentioned are fair arguments.

> I agree it's not a complete solution, but no security measure is; it's al=
ways about reducing the attack surface or limiting the damage.

Right. That was the original intention of my e-mail: To point out that
we might also want to consider other mitigations. Not that we
shouldn't do commit signing.

Ilija