On Tue, Apr 2, 2024 at 8:45 PM Rowan Tommins [IMSoP] <imsop....@rwec.co.uk> wrote:
> On 02/04/2024 20:02, Ilija Tovilo wrote: > > But, does it matter? I'm not sure we look at some commits closer than > others, based on its author. It's true that it might be easier to > identify malicious commits if they all come from the same user, but it > wouldn't prevent them. > > > It's like the difference between stealing someone's credit card, and > cloning the card of everyone who comes into the shop: in the first case, > someone needs to check their credit card statements carefully; in the > second, you'll have a hard job even working out who to contact. > > Similarly, if you discover a compromised key or signing account, you can > look for uses of that key or account, which might be a tiny number from a > non-core contributor; if you discover a compromised account pushing > unsigned commits, you have to audit every commit in the repository. > > I agree it's not a complete solution, but no security measure is; it's > always about reducing the attack surface or limiting the damage. > Nice comparison. Fully agree with that. I would add that potentially even more important point than auditability is possibility to revoke access of the compromised account as otherwise you can't easily identify such account and prevent further issues. Regards Jakub
