Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122914 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 69B101A009C for ; Wed, 3 Apr 2024 18:20:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712168476; bh=xmgg35+5dFvCzf0x+vsJX+ul9oS79EVSBh6jTqPLVdk=; h=Date:From:Subject:To:Cc:References:In-Reply-To:From; b=PJ85ngEX9ITA+JuSoJ9B9b6Quk0dJuxAPpbBd65FL9YJj6GjIkDJhuSr6fxGjRCRh 4SGTkNxC+ZHerLbxSBeYlgQAC5qhpTuYgAq0XrEHkNveebtwNQGqok+colrhl/hLfd V6E0NfeWRSj48iBFNCT7iu7qg7Lk1cU7JTK1/LtN3qPUb7ZZn1vpfshnNCfMJfauhA ZTsfnZESmlhmy7wpASM8RqdZLh3L+fbNFT74hSdRzFo5+Ph3FSUdQDcfIeooYvbV/z M6Ff8am4RCVCcQArS+YfG/dAvjgZt0tSRZ2Hm+d8n4+w0ZwsEbWVfNw9Pgsm5aklpa qxF7ubuKHxZ4Q== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4E81718038D for ; Wed, 3 Apr 2024 18:21:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 3 Apr 2024 18:21:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1712168445; bh=EQ5wjcK084g6PMM9kk4ahP8JDjH8XY6qAQjt//2vVhM=; h=Message-ID:Date:MIME-Version:From:Subject:To:Cc:References: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=dB1/TLqTiHps9r6pDWWrY7wod9KDxKLaWlCxRcAI7oC1f+81uMMBrlt3wK6EBsov6 3M2t9S3nGhjcr3nJSXwdUrCiAfMG705q9pPRqj1azqM9tKppujIclUenM4O8bf17wL gYm8OdZYs7SZjY/otFNKsTogzBRVTD71Rhr1RXaAL1cMODl4IvLRaFAn5qaiHZD1Ta TFiFCv4XBzaCJ/uN4UNbjY3cocSs9IKB1R5jZ4K7TCFuCGOjEeQ2IC800FaucVCZQM u4LTrujNFMLzbXQ3tDR/dtFJjLPSAc0oyyqoQu7MnsP8xph2ILZqzMiWwwSLvgYUBT RHYNeJCx7uy8g== Message-ID: Date: Wed, 3 Apr 2024 20:20:44 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Subject: Re: [PHP-DEV] Requiring GPG Commit Signing To: John Coggeshall , Derick Rethans Cc: "internals@lists.php.net" References: <8caff876-0995-3a57-dd87-791c83881312@php.net> <87FFF397-EAAC-4B1B-8F5B-937F084368BD@getmailspring.com> Content-Language: en-US In-Reply-To: <87FFF397-EAAC-4B1B-8F5B-937F084368BD@getmailspring.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi [Resending, because my mail server failed to look up php.net. It looks good now, I apologize for duplicate copies.] On 4/3/24 19:28, John Coggeshall wrote: > That's really unfortunate (why even bother). IMO without some sort of web of trust verification process for GPG, this just feels like added barriers for no actual win. In fact, if anything I think it's more likely to give the project a false sense of security. While it does not *prevent* any attacks, it possibly simplifies an investigation: For example: Did John Doe suddenly start signing with a new key? Or was only a single commit signed with a different key? If John uses a different key for each computer (e.g. one for the work laptop and one for the private gaming computer), then the signature possibly allows determining which machine was compromised. These are useful signals to determine the possible scope of an attack. Best regards Tim Düsterhus