[ciphershed] Re: Requiring GPG Signatures on Git Commits

• From: Bill Cox <waywardgeek@xxxxxxxxx>
• To: ciphershed@xxxxxxxxxxxxx
• Date: Fri, 13 Jun 2014 15:00:55 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/13/2014 11:09 AM, Rocki Hack wrote:
>> An attacker gains access to your machine while it's powered on
>> and you are away (maybe gone to lunch?)
> 
> Sorry, but what? How responsible are you? Don't blame software for
> things it can't do...
> 
> If an attacker has physically access: _Checkmate_. You can easily
> dump the TrueCrypt master key from ram if the volume is currently
> mounted... Nothing you could do against it really...

I'm afraid we have to assume our development machines are already
compromised.  We also should assume github is compromised.  It is an
interesting problem, trying to write secure software on untrusted
machines, while collaborating with untrusted authors using untrusted
servers.  Linus has a small tree of trusted people he depends on, and
a secure-ish air-gapped machine.  We don't even have that.

If nothing else, signing commits before pushing protects our code
while it resides on US controlled servers at github.  Otherwise, we'd
have to find a more secure solution.  Note that Linux does *not*
develop on github.  He only mirrors to github, and never pulls, SFAIK.
 If he did all his development on github, I think he would feel
differently about signing commits.  Also note that Linux has been
back-doored before on git mirrors before.  People working with
unsigned development code cloned from untrusted mirrors like github
code are at risk.

I happen to be cloning linux from github right now...

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTm0pnAAoJEL9an3rWhBk+iKkP/ipkv69TP5KVGJiaD/JFXPOQ
zyL93qFAmbq2RRHM1FEzM4uN4KGp0uzOxlU5iidQPGPF2+ruaSnRCvHHuQSyDlgr
7BhgXDDQVm32P4eqiCkPGJWL2UdsOCn+UZ+NmV2VlX/OjF//7YqilAhrUurgWYEM
g0pVJNLWUTnIcXBIrKJ6kAFYaJFO2ImtJQt3Pt4sqMwsd37Y6zVNKxsE+qglBv2I
zaBteFH5eqoSrTW5cycDtY/K3v5JJzwt68bL5e8YbZxhZ50wJomn3Qvo0REs5Xej
MvMrq+Z8+hliQfFv0osB2UMD43l1QafiW/XRCOgtBeWpiJRavjFXBN5GaqZTPeLA
4XrUWL68TZ5SracfOxgri5uPf/eWAC8piIoMbfikPSf9ImXvdOv7UT341OBHLQvm
Iku1BLeuZ6u77l8uEg0XPdehCrktaEUStqPHaHQLRdCWpA3lbhmsk/rUUUFUiyZo
RzaFhJi7K8bJEmbEelA8aE3vAHyEPMLcI12WiktjxUyB3WO+yAHRAPqc2Cm+nDbc
1JAGy3df8izgOl/96imzic3CnuYP3F2zkqFMJ8wkhaCyW/mXX8+17p9r0mEraZMO
seMIn1eHvAQ2wlb+3BylAxMnqfukYho22ApODDBm3nomvA1M6aKj0szrrUTWFHRk
BNA30vS0Q2aWTKUJJsi4
=wAP4
-----END PGP SIGNATURE-----

• Follow-Ups:
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Alain Forget

• References:
  • [ciphershed] Requiring GPG Signatures on Git Commits
    • From: Stephen R Guglielmo
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Kyle Marek
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: PID0
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Alain Forget
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Rocki Hack
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Kyle Marek
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Rocki Hack
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Kyle Marek
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Rocki Hack
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Bill Cox
  • [ciphershed] Re: Requiring GPG Signatures on Git Commits
    • From: Rocki Hack

Other related posts:

• » [ciphershed] Requiring GPG Signatures on Git Commits- Stephen R Guglielmo
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Stephen R Guglielmo
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Kyle Marek
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- PID0
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Alain Forget
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Rocki Hack
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Kyle Marek
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- PID0
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Rocki Hack
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Kyle Marek
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Rocki Hack
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Bill Cox
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Rocki Hack
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits - Bill Cox
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Alain Forget
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Bill Cox
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Alain Forget
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Bill Cox
• » [ciphershed] Re: Requiring GPG Signatures on Git Commits- Kyle Marek

1. Home
2. ciphershed
3. Archive
4. 06-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---