On Tue, Apr 2, 2024 at 5:05 PM John Coggeshall <j...@coggeshall.org> wrote:
> > So if we want to make sure that something like XY doesn't happen, we > have to add some additional restrictions to those GPG keys. > > > Looks like all those geeky colleagues of ours back in the day having > key-signing parties at conferences were on to something, maybe.. > > Let's be clear about something -- having GPG key requirements isn't going > to help a situation like XZ. The XZ attack was done by an active maintainer > of the project (who arguably manipulated the original maintainer of the > project to become a maintainer themselves). It was as much a social > engineering attack as anything. > > Having GPG key requirements is all fine and dandy I suppose, but my > tongue-in-cheek comment above has a real point behind it: GPG keys don't > mean jack if you can't trust who owns the key. Unless we want to start > limiting contributors to people who show up at conferences to do key > signings of their GPG keys, I question exactly what this buys the project > other than an illusion of security and additional complexity? I couldn't > even *really* trust Derick to read me his GPG public key > character-by-character over the phone now days thanks to AI. > > It's not meant to prevent XZ attack. The purpose is really just for the actual contributors to have some assurance that just some random person won't commit anything in their name just by changing the author of the commit. See another thread [1] about prevention of the XZ attack - that basically requires moving the actual build to the CI and have the right process to verify it. [1] https://externals.io/message/122811 Regards Jakub
