Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122907
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 9161D1A009C
	for <internals@lists.php.net>; Wed,  3 Apr 2024 06:42:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712126554; bh=o5hI6w9bujCuh9cSPe/sRhQolJajBIyVNScZuRV2aZs=;
	h=In-Reply-To:References:Date:From:To:Subject:From;
	b=aOJ84lTGTEkQU88AekoRemIjBexFHEHi5k75QlWxFC60DdeYb4j7hAzL/FBwdO9Mp
	 j72AVNQPT+26ll2YhumA9d+xHqp407U60Wz0S8lsPdgdAZrt8aGl4tJix8p/dViqJ4
	 5ImHymrqDdNZTNAknl+cf0awyQ93yJj1P4fgj3MH8Ze6mTXtnrRvGt0B/RvfztsN49
	 xAtlWl7uaYVdJsmV1Fh4SB7pUtHbDlYoX/jTYzM+Q2v48OEUxoeNJs/iSyhTO/0yG8
	 4j4dLOa6OTQmf4wGhubskf7Ldme//mP1g4XPYsSkvG/EaMLX7YPLHBnmlR25AYsukB
	 i92X98AYFsA1A==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B04B1180062
	for <internals@lists.php.net>; Wed,  3 Apr 2024 06:42:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE,
	RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <rob@bottled.codes>
Received: from wfout5-smtp.messagingengine.com (wfout5-smtp.messagingengine.com [64.147.123.148])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  3 Apr 2024 06:42:33 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailfout.west.internal (Postfix) with ESMTP id 6F61B1C000B5
	for <internals@lists.php.net>; Wed,  3 Apr 2024 02:42:03 -0400 (EDT)
Received: from imap49 ([10.202.2.99])
  by compute1.internal (MEProxy); Wed, 03 Apr 2024 02:42:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes;
	 h=cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm3; t=1712126522; x=1712212922; bh=p4wp+sGAyw
	5iJdKvl5mJ3vi6n28GIST3pEImBRrSnrI=; b=HA1fVBTuUy2kUKXglrzod3Q+hN
	h8A2aIh0CmJ+QAz/z5hBmt/ssdkSN864AZeOmMcR32yp1hY8MnLw82IzlLRXr69Y
	7hikp8lSzYZ3u1uu9hW1/BaeUuKGetJZepaYGJwVAbVMYdH6x2Idb3XSHMaKfCca
	MFnIBGCJQecApKoihHjMJ/kpiemSvZmDo2opGOvNGeUqikA2WyZnCKOxl3AEGziM
	AW6z42GoYs9Q8VzsQFAaIN3YR2IWEjslFVm5Z7jIH+NW6PM0awxA8y7kXnP3c82V
	WdTqGwmlJE/iZ5u8uyhxjZThWvSILOY7kX1IbWzQlGk+JWOoK7mWBbsLvzDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm2; t=1712126522; x=1712212922; bh=p4wp+sGAyw5iJdKvl5mJ3vi6n28G
	IST3pEImBRrSnrI=; b=VaiFYySicyKeNleM+BXbKM1615ENXuO3/Vs9zlu7J0Qq
	9RDyqcp9uCTt57X3T6a0C64Q+eN7Uwoofw4fig5A4LwqaC6Fh1l5RxBm7+pc2077
	3igx6OYjVe/qYoW26ZWx/04c6o9wqu94FTi7MOV6CoZc1O/d6lMMCc2fgt2+qjhs
	KEXBsuusi5zEdQaXnpD5b1kSvsZ85FanSdpwCEjPvi+meK05q2N+IOWIgLChO6S/
	4hzf34n3nD4nQesEUuYzkn/4oynAceGT02BOwuyvXdqAwElIlzNZXQANzo+kF/1v
	rr774X/rNh2/y7v/KxLL49+DPCJchlNVdJVVDHstqw==
X-ME-Sender: <xms:OvoMZrCLoykwQDOeC0fCnBNrcSdeYDMMtqsXWlSkScW59bsURhiLnA>
    <xme:OvoMZhi2WFidv0Z17T84AzOh1TFDQPxu_4aAw5VbcHg7QlWyuXrk9Gx3T4B5TCJEe
    ws3sOn4JqYkjt9PJto>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeffedguddtlecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrg
    dtreerreerjeenucfhrhhomhepfdftohgsucfnrghnuggvrhhsfdcuoehrohgssegsohht
    thhlvggurdgtohguvghsqeenucggtffrrghtthgvrhhnpeegvdettdeuvdffgfehffejte
    dvvedtheejvdehvdeifeffudfhveeuhfefhfegffenucffohhmrghinhepghhithhhuhgs
    rdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh
    eprhhosgessghothhtlhgvugdrtghouggvsh
X-ME-Proxy: <xmx:OvoMZmlw3_bAOXFi_FoW4JMEFFjUvhWmjtUA0yO3snr0qvjQqZEw6g>
    <xmx:OvoMZtye0M9CQT4FxawX-hhTxFE8MyjTmTwnSkuXBYg1lvYnVFBp-Q>
    <xmx:OvoMZgQQoWHKQlN2bOflhry8k6qyfTAOSflfikGT3AcCvonu3jsG3Q>
    <xmx:OvoMZgYGjgJuGzHi8azFn0EmIBEkL4cew-R7-dDxRI-s8VxPD6vhUg>
    <xmx:OvoMZrIpshHcp8WDvMxzZlZzTyYJ7QKAb78Azu0BWnB6DJvKmxFkTQ56>
Feedback-ID: ifab94697:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 3B09915A0094; Wed,  3 Apr 2024 02:42:02 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-333-gbfea15422e-fm-20240327.001-gbfea1542
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
Message-ID: <17cad25d-bb3e-4be4-a875-a399c64f605e@app.fastmail.com>
In-Reply-To: <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk>
References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net>
 <CAPyj-LC9Ygr0vNB3RyTKmmYmq1VbNgzDS_J3bq6NaoXD1YaMhQ@mail.gmail.com>
 <33406173-693c-44c2-a378-fff49751f3b4@rwec.co.uk>
 <CAPyj-LDh7K=cGcxX1qpY7=SYGOdOo0y-QAQjorhRoeqO2ni96A@mail.gmail.com>
 <089e6466-540b-4d86-8cf4-1a6b5506efed@rwec.co.uk>
Date: Wed, 03 Apr 2024 08:41:06 +0200
To: internals@lists.php.net
Subject: Re: [PHP-DEV] Requiring GPG Commit Signing
Content-Type: multipart/alternative;
 boundary=10f8899a49364bfcbaa4aa598e945e61
From: rob@bottled.codes ("Rob Landers")

--10f8899a49364bfcbaa4aa598e945e61
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 2, 2024, at 21:40, Rowan Tommins [IMSoP] wrote:
> On 02/04/2024 20:02, Ilija Tovilo wrote:
>> But, does it matter? I'm not sure we look at some commits closer than
>> others, based on its author. It's true that it might be easier to
>> identify malicious commits if they all come from the same user, but it
>> wouldn't prevent them.
>=20
>=20
> It's like the difference between stealing someone's credit card, and c=
loning the card of everyone who comes into the shop: in the first case, =
someone needs to check their credit card statements carefully; in the se=
cond, you'll have a hard job even working out who to contact.
>=20
> Similarly, if you discover a compromised key or signing account, you c=
an look for uses of that key or account, which might be a tiny number fr=
om a non-core contributor; if you discover a compromised account pushing=
 unsigned commits, you have to audit every commit in the repository.
>=20
> I agree it's not a complete solution, but no security measure is; it's=
 always about reducing the attack surface or limiting the damage.
>=20
> Regards,
>=20
> --=20
> Rowan Tommins
> [IMSoP]

FWIW, I store my signing and ssh keys on yubikeys. Even then, when I man=
aged to lose one several years ago, revoking the certificate on GitHub w=
as relatively straightforward. Further, it marked every commit made by t=
hat key (ever) as unverified.

So, in the very least, if a key were to be compromised, any open PRs wou=
ld need to be resigned by the author to get them back in good standing; =
if verified commits are required.=20

This, of course, makes GitHub the "single point of failure." If someone =
were to gain access to my GH (even on an unattended laptop), they could =
add their own keys, and on another computer; log in with another account=
, and then push commits with my email address and their gpg key. GitHub =
would show them as verified (IIRC) and from me. This is by design, since=
 "in theory," I could have pushed my commits to a coworker's git repo, w=
ho then pushed it to GH.

Terrifying stuff... but it is even more terrifying than not having signe=
d commits at all, since literally anyone can push a commit with anyone's=
 name on it and nobody would even know it was a counterfeit. So, at leas=
t requiring signed commits makes the bar that much higher to counterfeit=
/hide malicious commits.

If this stuff terrifies you too, I recommend turning on vigilant mode: h=
ttps://docs.github.com/en/authentication/managing-commit-signature-verif=
ication/displaying-verification-statuses-for-all-of-your-commits

=E2=80=94 Rob
--10f8899a49364bfcbaa4aa598e945e61
Content-Type: text/html;charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}</style></head><body><div>On Tue, Apr 2, =
2024, at 21:40, Rowan Tommins [IMSoP] wrote:<br></div><blockquote type=3D=
"cite" id=3D"qt" style=3D""><div class=3D"qt-moz-cite-prefix">On 02/04/2=
024 20:02, Ilija Tovilo
      wrote:<br></div><blockquote type=3D"cite" cite=3D"mid:CAPyj-LDh7K=3D=
cGcxX1qpY7=3DSYGOdOo0y-QAQjorhRoeqO2ni96A@mail.gmail.com"><pre>But, does=
 it matter? I'm not sure we look at some commits closer than
others, based on its author. It's true that it might be easier to
identify malicious commits if they all come from the same user, but it
wouldn't prevent them.<br></pre></blockquote><p><br></p><p>It's like the=
 difference between stealing someone's credit card,
      and cloning the card of everyone who comes into the shop: in the
      first case, someone needs to check their credit card statements
      carefully; in the second, you'll have a hard job even working out
      who to contact.<br></p><p>Similarly, if you discover a compromised=
 key or signing account,
      you can look for uses of that key or account, which might be a
      tiny number from a non-core contributor; if you discover a
      compromised account pushing unsigned commits, you have to audit
      every commit in the repository.<br></p><p>I agree it's not a compl=
ete solution, but no security measure is;
      it's always about reducing the attack surface or limiting the
      damage.<br></p><p>Regards,<br></p><pre class=3D"qt-moz-signature" =
cols=3D"72">--=20
Rowan Tommins
[IMSoP]<br></pre></blockquote><div><br></div><div>FWIW, I store my signi=
ng and ssh keys on yubikeys. Even then, when I managed to lose one sever=
al years ago, revoking the certificate on GitHub was relatively straight=
forward. Further, it marked every commit made by that key (ever) as unve=
rified.<br></div><div><br></div><div>So, in the very least, if a key wer=
e to be compromised, any open PRs would need to be resigned by the autho=
r to get them back in good standing; if verified commits are required.&n=
bsp;<br></div><div><br></div><div>This, of course, makes GitHub the "sin=
gle point of failure." If someone were to gain access to my GH (even on =
an unattended laptop), they could add their own keys, and on another com=
puter; log in with another account, and then push commits with my email =
address and their gpg key. GitHub would show them as verified (IIRC) and=
 from me. This is by design, since "in theory," I could have pushed my c=
ommits to a coworker's git repo, who then pushed it to GH.<br></div><div=
><br></div><div>Terrifying stuff... but it is even more terrifying than =
not having signed commits at all, since literally anyone can push a comm=
it with anyone's name on it and nobody would even know it was a counterf=
eit. So, at least requiring signed commits makes the bar that much highe=
r to counterfeit/hide malicious commits.<br></div><div><br></div><div>If=
 this stuff terrifies you too, I recommend turning on vigilant mode:&nbs=
p;<a href=3D"https://docs.github.com/en/authentication/managing-commit-s=
ignature-verification/displaying-verification-statuses-for-all-of-your-c=
ommits">https://docs.github.com/en/authentication/managing-commit-signat=
ure-verification/displaying-verification-statuses-for-all-of-your-commit=
s</a><br></div><div><br></div><div id=3D"sig121229152">=E2=80=94 Rob<br>=
</div></body></html>
--10f8899a49364bfcbaa4aa598e945e61--