1 |
On 2018-06-15 04:27, kuzetsa wrote: |
2 |
> I think I understand that viewpoint, but there's nuance: |
3 |
> |
4 |
> (it matters "more than zero", as you claimed) |
5 |
> |
6 |
> if proxy-maintainers or other contributors have no |
7 |
> assurance that they aren't being impersonated, then |
8 |
> a person in bad faith could spoof a submission. |
9 |
> |
10 |
> it's a matter of convenience for the committing dev |
11 |
> to be able to verify my key was used for a commit. |
12 |
|
13 |
No! And I really hope nobody is doing that: |
14 |
|
15 |
Anyone with access to your GitHub account can add new keys. _We_ will |
16 |
not notice if _you_ or an attacker changed your account. Therefore, any |
17 |
third party for key management isn't an option and _must be_ ignored. |
18 |
|
19 |
We can only rely on our own key management. If an attacker is able to |
20 |
manipulate Gentoo LDAP (our single point of truth), Gentoo is lost. But |
21 |
until such a scenario, this is the only reliable way to verify and |
22 |
assume something. I.e. you cannot outsource identity management to a |
23 |
self-service portal as offered by GitHub's account preferences. |
24 |
|
25 |
It would be nice to maintain proxy maintainer's keys in a similar way. |
26 |
However, given that proxy maintainer's signature will never appear in |
27 |
Gentoo repository (it is always the developer's signature which will |
28 |
replace the proxy maintainer's signature), there's no need to do |
29 |
something like that at the moment because we have nothing to verify. |
30 |
|
31 |
In summary: |
32 |
|
33 |
- Any Gentoo developer who proxies someone should never ever trust a |
34 |
third part for identity management. Trust must be established between |
35 |
the dev and the proxy maintainer. |
36 |
|
37 |
- For Gentoo developers it is important to understand that you are |
38 |
reliable for anything signed by your key. So it doesn't really matter if |
39 |
the PR was spoofed or not. It does only matter if the commit was harmful |
40 |
or not. If there will ever be any doubts, it was _you_ (the Gentoo |
41 |
developer) who caused the resulting problem because you approved and merged. |
42 |
|
43 |
- Gentoo proxy-maintenance project is not a "push-through" service. :) |
44 |
|
45 |
- Having green "verified" indicators on commit view next to each commit |
46 |
on GitHub or any other non-Gentoo service is dangerous. Don't trust |
47 |
these indicators. They don't have a meaning for Gentoo, only for the |
48 |
platform you are using. |
49 |
|
50 |
|
51 |
-- |
52 |
Regards, |
53 |
Thomas Deutschmann / Gentoo Linux Developer |
54 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |