Simon Josefsson via Gnulib discussion list <[email protected]> writes:
> Bruno Haible via Gnulib discussion list <[email protected]> writes: > >> Why should we mention this? The Gnulib repository doesn't use signed commits. >> >> And IMO it doesn't need to. Last time we discussed this, IIRC Simon noted >> that enforcing signed commits hampers development by causing hassles to >> the developers. > > I still encourage commit signing, not because it actually solves any > real problem that we have, but rather that it encourage a stronger > ecosystem for free software distribution and helps to establish best > recommended practices generally. > > But I'm pragmatic enough to see that this isn't realistic or useful to > enforce for gnulib today. > > Most projects have stronger security concerns about their artifact > distribution than gnulib. > > I think the simplest attack vector for gnulib is someone modifying the > git repository on savannah to inject malware. > > Two things mitigate that attack: > > 1) we have a bunch of active committers that would likely notice any > discrepency with savannah and their local repository and e-mail the > list; together with > > 2) people don't blindly use the latest commit automatically, it is > normally a manual process to incorporate a particular gnulib commit > into some project and then release that project. So gnulib code > doesn't end up in the wild quickly. > > I fear someone may come up with a way to accomplish 1) without us > noticing it, because our use of git builds on SHA1 which is known to be > broken, so it is conceivable that someone could inject malware on the > gnulib git repository on savannah without us noticing. Or one would simply commit some malware deep somewhere with --author and --committer set to an inactive contributors name. It is not inconceivable that, if timed well, this would easily slip by as people usually don't read every bit of history after a git-pull. Not possible if the commit must be signed for a push to pass. -- Arsen Arsenović
signature.asc
Description: PGP signature
