Hey Pedro,
Same point as before really, why would an attacker have access to your
SSH key but not your GPG key? This scenario leaves out the possibly of
an HTTPS over SSH attack, in which case as a security-aware person you
use 2FA of course ( :) ), which means this is not possible without
creating a personal access token. There is very little reason to do this
at all - I never did this before, and I don't know anyone who does this
with their private or work GitHub account (I think a few use it for
CI?), at least that I know of. And even if you need one, and you give it
push rights to actually push with, and you require GPG signatures
globally, you again are keeping those two factors at least close
together, if not in the same spot.
Best regards,
Marvin
On 13/09/2021 18:50, Pedro Falcato wrote:
Hi James, Marvin,
Interesting points of view.
I still have a question though: If any part of the process got
compromised (maintainer, or in the worst case scenario, the repo
itself), is there anything that could be done
in order to assess the damage? I'd say signing could help establish
trust in a lot of those cases
Thanks,
Pedro
On Sun, Sep 12, 2021 at 10:53 AM Marvin Häuser <[email protected]> wrote:
Hey,
Just my 2 cents...
Contributors: Git's stance is the author doesn't really matter as long
as the code is acceptable. For most people, you will not know them
anyway and it does not buy you much to know they own GitHub account XY.
If someone is impersonating a maintainer (who would push the changes
directly after review), that would be obvious anyway.
Maintainers: Why would someone have access to your SSH key but not your
GPG key? Especially if your commits are auto-signed, both keys are
likely equally readable. More factors do not meaningfully increase
security if they are not clearly separate.
I'm sure nobody minds your signatures though. :)
Best regards,
Marvin
On 11/09/2021 20:25, Pedro Falcato wrote:
Hi everyone,
Yesterday, when pushing my first commits to edk2-platforms (as the
Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and
71f3343) stick out like a sore thumb, as I have GPG signing on my
commits on by default (see git config commit.gpgsign), globally across
all my projects.
Is there an official stance on signed commits? I was thinking that
commit signing, at least for the maintainers that apply and push
patches, could be useful as a way to establish authenticity for every
commit that gets to the edk2 repos.
Best regards,
Pedro Falcato
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80612): https://edk2.groups.io/g/devel/message/80612
Mute This Topic: https://groups.io/mt/85538324/21656
Group Owner: [email protected]
Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
