Hi
On 4/9/24 13:02, Derick Rethans wrote:
It seems that most of the reply to this was positive, although with the
realisation that it wouldn't be a panacea.
I will therefore propose a minimalistic RFC to create this requirement
to sign commits to all branches, in the next few days.
I
On Tue, 2 Apr 2024, Derick Rethans wrote:
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
>
> I had a look, and this is also something we can enforce through GitHub
> as well (by using branch protections).
It seems that most of the reply to this was
Hi
[Resending, because my mail server failed to look up php.net. It looks
good now, I apologize for duplicate copies.]
On 4/3/24 19:28, John Coggeshall wrote:
That's really unfortunate (why even bother). IMO without some sort of web of
trust verification process for GPG, this just feels
> > Having GPG key requirements is all fine and dandy I suppose, but my
> > tongue-in-cheek comment above has a real point behind it: GPG keys
> > don't mean jack if you can't trust who owns the key.
>
> GitHub doesn't show the web of trust anyway, just "verified". Command
> line GIT doesn't
On Tue, 2 Apr 2024, John Coggeshall wrote:
>
> > So if we want to make sure that something like XY doesn't happen, we
> > have to add some additional restrictions to those GPG keys.
>
> Looks like all those geeky colleagues of ours back in the day having
> key-signing parties at conferences
On Tue, 2 Apr 2024, Ayesh Karunaratne wrote:
> > What do y'all think about requiring GPG signed commits for the
> > php-src repository?
> >
> > I had a look, and this is also something we can enforce through
> > GitHub as well (by using branch protections).
>
> +1 from me as well, and quite
On Tue, Apr 2, 2024, at 21:40, Rowan Tommins [IMSoP] wrote:
> On 02/04/2024 20:02, Ilija Tovilo wrote:
>> But, does it matter? I'm not sure we look at some commits closer than
>> others, based on its author. It's true that it might be easier to
>> identify malicious commits if they all come from
On Tue, Apr 2, 2024 at 9:43 PM Rowan Tommins [IMSoP]
wrote:
>
> Similarly, if you discover a compromised key or signing account, you can look
> for uses of that key or account, which might be a tiny number from a non-core
> contributor; if you discover a compromised account pushing unsigned
On Tue, Apr 2, 2024 at 8:45 PM Rowan Tommins [IMSoP]
wrote:
> On 02/04/2024 20:02, Ilija Tovilo wrote:
>
> But, does it matter? I'm not sure we look at some commits closer than
> others, based on its author. It's true that it might be easier to
> identify malicious commits if they all come from
On 02/04/2024 20:02, Ilija Tovilo wrote:
But, does it matter? I'm not sure we look at some commits closer than
others, based on its author. It's true that it might be easier to
identify malicious commits if they all come from the same user, but it
wouldn't prevent them.
It's like the
Hi Rowan
On Tue, Apr 2, 2024 at 8:48 PM Rowan Tommins [IMSoP]
wrote:
>
> In fact, you don't need to compromise anybody's key: you could socially
> engineer a situation where you have push access to the repository, or break
> the security in some other way. As I understand it, this is exactly
On 02/04/2024 18:27, Ilija Tovilo wrote:
If your GitHub account is compromised,
[...] the attacker may simply register their
own gpg key in your account, with the commits appearing as verified.
If your ssh key is compromised instead, and you use ssh to sign your
commits, the attacker may sign
On Tue, Apr 2, 2024, at 5:27 PM, Ilija Tovilo wrote:
> Hi Derick
>
> On Tue, Apr 2, 2024 at 4:15 PM Derick Rethans wrote:
>>
>> What do y'all think about requiring GPG signed commits for the php-src
>> repository?
>
> Let me repost my internal response for visibility.
>
> I'm currently struggling
Hi Derick
On Tue, Apr 2, 2024 at 4:15 PM Derick Rethans wrote:
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
Let me repost my internal response for visibility.
I'm currently struggling to understand what kind of attack signing
commits prevents.
If
On Tue, Apr 2, 2024 at 5:05 PM John Coggeshall wrote:
>
> So if we want to make sure that something like XY doesn't happen, we
> have to add some additional restrictions to those GPG keys.
>
>
> Looks like all those geeky colleagues of ours back in the day having
> key-signing parties at
> So if we want to make sure that something like XY doesn't happen, we
> have to add some additional restrictions to those GPG keys.
>
Looks like all those geeky colleagues of ours back in the day having
key-signing parties at conferences were on to something, maybe..
Let's be clear about
On 02/04/2024 15:55, Calvin Buckley wrote:
On Apr 2, 2024, at 11:15 AM, Derick Rethans wrote:
What do y'all think about requiring GPG signed commits for the php-src
repository?
I had a look, and this is also something we can enforce through GitHub
as well (by using branch protections).
Would
Hey List, Hey Derick
Am 02.04.24 um 16:15 schrieb Derick Rethans:
Hi,
What do y'all think about requiring GPG signed commits for the php-src
repository?
In general I think it is a good idea to do GPG signed commits. But in
terms of security the idea is to be able to authenticate a user. But
On 02/04/2024 16:15, Derick Rethans wrote:
> Hi,
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
>
> I had a look, and this is also something we can enforce through GitHub
> as well (by using branch protections).
>
> cheers,
> Derick
>
>
I'm in
On Tue, Apr 2, 2024 at 4:16 PM Derick Rethans wrote:
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
>
+1
On Tue, 2 Apr 2024, Calvin Buckley wrote:
> On Apr 2, 2024, at 11:15 AM, Derick Rethans wrote:
> >
> > What do y'all think about requiring GPG signed commits for the php-src
> > repository?
> >
> > I had a look, and this is also something we can enforce through GitHub
> > as well (by using
On Apr 2, 2024, at 11:15 AM, Derick Rethans wrote:
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
>
> I had a look, and this is also something we can enforce through GitHub
> as well (by using branch protections).
Would this affect only direct pushes
On Tue, 2 Apr 2024, at 15:15, Derick Rethans wrote:
> Hi,
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
I actually thought this was already required since the github move (and the
events that led to it) 3 years ago.
It was certainly discussed:
>
> Hi,
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
>
> I had a look, and this is also something we can enforce through GitHub
> as well (by using branch protections).
>
> cheers,
> Derick
>
>
> --
> https://derickrethans.nl | https://xdebug.org |
No problem with this, I apply this since couple of days.
Cheers.
On Tue, 2 Apr 2024 at 15:37, Jakub Zelenka wrote:
> On Tue, Apr 2, 2024 at 3:36 PM Jakub Zelenka wrote:
>
>> On Tue, Apr 2, 2024 at 3:17 PM Derick Rethans wrote:
>>
>>> Hi,
>>>
>>> What do y'all think about requiring GPG signed
On Tue, Apr 2, 2024 at 3:36 PM Jakub Zelenka wrote:
> On Tue, Apr 2, 2024 at 3:17 PM Derick Rethans wrote:
>
>> Hi,
>>
>> What do y'all think about requiring GPG signed commits for the php-src
>> repository?
>>
>>
> +1, most of the devs already do that. I CC'd few of the regular devs that
>
On Tue, Apr 2, 2024 at 3:17 PM Derick Rethans wrote:
> Hi,
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?
>
>
+1, most of the devs already do that. I CC'd few of the regular devs that
don't sign commits (taken from the latest history) so they are aware
Am 02.04.2024 um 16:15 schrieb Derick Rethans:
What do y'all think about requiring GPG signed commits for the php-src
repository?
+1
28 matches
Mail list logo
