| 1 |
On 2018-06-15 04:27, kuzetsa wrote: |
| 2 |
> I think I understand that viewpoint, but there's nuance: |
| 3 |
> |
| 4 |
> (it matters "more than zero", as you claimed) |
| 5 |
> |
| 6 |
> if proxy-maintainers or other contributors have no |
| 7 |
> assurance that they aren't being impersonated, then |
| 8 |
> a person in bad faith could spoof a submission. |
| 9 |
> |
| 10 |
> it's a matter of convenience for the committing dev |
| 11 |
> to be able to verify my key was used for a commit. |
| 12 |
|
| 13 |
No! And I really hope nobody is doing that: |
| 14 |
|
| 15 |
Anyone with access to your GitHub account can add new keys. _We_ will |
| 16 |
not notice if _you_ or an attacker changed your account. Therefore, any |
| 17 |
third party for key management isn't an option and _must be_ ignored. |
| 18 |
|
| 19 |
We can only rely on our own key management. If an attacker is able to |
| 20 |
manipulate Gentoo LDAP (our single point of truth), Gentoo is lost. But |
| 21 |
until such a scenario, this is the only reliable way to verify and |
| 22 |
assume something. I.e. you cannot outsource identity management to a |
| 23 |
self-service portal as offered by GitHub's account preferences. |
| 24 |
|
| 25 |
It would be nice to maintain proxy maintainer's keys in a similar way. |
| 26 |
However, given that proxy maintainer's signature will never appear in |
| 27 |
Gentoo repository (it is always the developer's signature which will |
| 28 |
replace the proxy maintainer's signature), there's no need to do |
| 29 |
something like that at the moment because we have nothing to verify. |
| 30 |
|
| 31 |
In summary: |
| 32 |
|
| 33 |
- Any Gentoo developer who proxies someone should never ever trust a |
| 34 |
third part for identity management. Trust must be established between |
| 35 |
the dev and the proxy maintainer. |
| 36 |
|
| 37 |
- For Gentoo developers it is important to understand that you are |
| 38 |
reliable for anything signed by your key. So it doesn't really matter if |
| 39 |
the PR was spoofed or not. It does only matter if the commit was harmful |
| 40 |
or not. If there will ever be any doubts, it was _you_ (the Gentoo |
| 41 |
developer) who caused the resulting problem because you approved and merged. |
| 42 |
|
| 43 |
- Gentoo proxy-maintenance project is not a "push-through" service. :) |
| 44 |
|
| 45 |
- Having green "verified" indicators on commit view next to each commit |
| 46 |
on GitHub or any other non-Gentoo service is dangerous. Don't trust |
| 47 |
these indicators. They don't have a meaning for Gentoo, only for the |
| 48 |
platform you are using. |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
Regards, |
| 53 |
Thomas Deutschmann / Gentoo Linux Developer |
| 54 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives