1 |
On 06/15/2018 07:50 AM, Thomas Deutschmann wrote: |
2 |
> On 2018-06-15 04:27, kuzetsa wrote: |
3 |
>> I think I understand that viewpoint, but there's nuance: |
4 |
>> |
5 |
>> (it matters "more than zero", as you claimed) |
6 |
>> |
7 |
>> if proxy-maintainers or other contributors have no |
8 |
>> assurance that they aren't being impersonated, then |
9 |
>> a person in bad faith could spoof a submission. |
10 |
|
11 |
{...} |
12 |
|
13 |
> We can only rely on our own key management. If an attacker is able to |
14 |
> manipulate Gentoo LDAP (our single point of truth), |
15 |
|
16 |
{...} |
17 |
|
18 |
{...} /// proxy maintainer's signature will never appear in |
19 |
> Gentoo repository (it is always the developer's signature which will |
20 |
> replace the proxy maintainer's signature), there's no need to do |
21 |
> something like that at the moment because we have nothing to verify. |
22 |
|
23 |
{...} |
24 |
|
25 |
> - For Gentoo developers it is important to understand that you are |
26 |
> reliable for anything signed by your key. So it doesn't really matter if |
27 |
> the PR was spoofed or not. /// {...} |
28 |
I'm aware of this, and it's part of what I'm troubled by: |
29 |
|
30 |
the act of throwing away signatures from contributors is |
31 |
a thing which I had considered mentioning in a different |
32 |
context: ["Would you sign a Contributor License Agreement?"] |
33 |
|
34 |
"Gentoo Developer's Certificate of Origin" - shouldn't |
35 |
the author / contributor themselves be involved in this? |
36 |
|
37 |
contributor keys /do/ matter, at least until the point |
38 |
where a commit is in the tree (with signature replaced) |
39 |
|
40 |
at some point, the contributor exercises their judgment |
41 |
in saying to themselves: "yes, this matches what I wrote", |
42 |
and will then reconcile their local git tree with the |
43 |
official (developer-signed) one. |
44 |
|
45 |
^ meta-stuff for non-developer contributions ::sigh:: |
46 |
|
47 |
- for the original thing I was trying to say: |
48 |
|
49 |
the analogy could be made where an employer insists that |
50 |
all wages are issued to a preloaded debit card, rather |
51 |
than a bank transfer or paycheck which gets handled by |
52 |
the financial institution designated by each employee. |
53 |
|
54 |
while possible that banks could do something malicious, |
55 |
/not/ having a bank would increase the counterparty risk |
56 |
for employees; separation of duties might be an apt term? |
57 |
|
58 |
involving a 3rd party means the option is available to spot |
59 |
any discrepancies between activity / commits in the gentoo |
60 |
tree, versus the tree (on github, or any other 3rd party) |
61 |
which a contributor has made transparent / visible. |
62 |
|
63 |
-- kuza |