On 02/04/2024 20:02, Ilija Tovilo wrote:
But, does it matter? I'm not sure we look at some commits closer than others, based on its author. It's true that it might be easier to identify malicious commits if they all come from the same user, but it wouldn't prevent them.
It's like the difference between stealing someone's credit card, and cloning the card of everyone who comes into the shop: in the first case, someone needs to check their credit card statements carefully; in the second, you'll have a hard job even working out who to contact.
Similarly, if you discover a compromised key or signing account, you can look for uses of that key or account, which might be a tiny number from a non-core contributor; if you discover a compromised account pushing unsigned commits, you have to audit every commit in the repository.
I agree it's not a complete solution, but no security measure is; it's always about reducing the attack surface or limiting the damage.
Regards, -- Rowan Tommins [IMSoP]
