| 1 |
On 06/15/2018 07:50 AM, Thomas Deutschmann wrote: |
| 2 |
> On 2018-06-15 04:27, kuzetsa wrote: |
| 3 |
>> I think I understand that viewpoint, but there's nuance: |
| 4 |
>> |
| 5 |
>> (it matters "more than zero", as you claimed) |
| 6 |
>> |
| 7 |
>> if proxy-maintainers or other contributors have no |
| 8 |
>> assurance that they aren't being impersonated, then |
| 9 |
>> a person in bad faith could spoof a submission. |
| 10 |
|
| 11 |
{...} |
| 12 |
|
| 13 |
> We can only rely on our own key management. If an attacker is able to |
| 14 |
> manipulate Gentoo LDAP (our single point of truth), |
| 15 |
|
| 16 |
{...} |
| 17 |
|
| 18 |
{...} /// proxy maintainer's signature will never appear in |
| 19 |
> Gentoo repository (it is always the developer's signature which will |
| 20 |
> replace the proxy maintainer's signature), there's no need to do |
| 21 |
> something like that at the moment because we have nothing to verify. |
| 22 |
|
| 23 |
{...} |
| 24 |
|
| 25 |
> - For Gentoo developers it is important to understand that you are |
| 26 |
> reliable for anything signed by your key. So it doesn't really matter if |
| 27 |
> the PR was spoofed or not. /// {...} |
| 28 |
I'm aware of this, and it's part of what I'm troubled by: |
| 29 |
|
| 30 |
the act of throwing away signatures from contributors is |
| 31 |
a thing which I had considered mentioning in a different |
| 32 |
context: ["Would you sign a Contributor License Agreement?"] |
| 33 |
|
| 34 |
"Gentoo Developer's Certificate of Origin" - shouldn't |
| 35 |
the author / contributor themselves be involved in this? |
| 36 |
|
| 37 |
contributor keys /do/ matter, at least until the point |
| 38 |
where a commit is in the tree (with signature replaced) |
| 39 |
|
| 40 |
at some point, the contributor exercises their judgment |
| 41 |
in saying to themselves: "yes, this matches what I wrote", |
| 42 |
and will then reconcile their local git tree with the |
| 43 |
official (developer-signed) one. |
| 44 |
|
| 45 |
^ meta-stuff for non-developer contributions ::sigh:: |
| 46 |
|
| 47 |
- for the original thing I was trying to say: |
| 48 |
|
| 49 |
the analogy could be made where an employer insists that |
| 50 |
all wages are issued to a preloaded debit card, rather |
| 51 |
than a bank transfer or paycheck which gets handled by |
| 52 |
the financial institution designated by each employee. |
| 53 |
|
| 54 |
while possible that banks could do something malicious, |
| 55 |
/not/ having a bank would increase the counterparty risk |
| 56 |
for employees; separation of duties might be an apt term? |
| 57 |
|
| 58 |
involving a 3rd party means the option is available to spot |
| 59 |
any discrepancies between activity / commits in the gentoo |
| 60 |
tree, versus the tree (on github, or any other 3rd party) |
| 61 |
which a contributor has made transparent / visible. |
| 62 |
|
| 63 |
-- kuza |
Archives