From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Zskq=DA=gnu.org=ludo@sourceware.org>
Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:470:142:3::10])
	by sourceware.org (Postfix) with ESMTPS id 80CAB3858CD1
	for <overseers@sourceware.org>; Fri, 14 Jul 2023 13:18:45 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 80CAB3858CD1
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gnu.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gnu.org
Received: from fencepost.gnu.org ([2001:470:142:3::e])
	by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.90_1)
	(envelope-from <ludo@gnu.org>)
	id 1qKIh1-0002ZY-BQ; Fri, 14 Jul 2023 09:18:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
	s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
	From; bh=0xYGu8nMOgVolXu0QeREAzY2i6RZKXoCvQx+DzLe9F4=; b=ikP2oEGBF1Slh4pX8ACO
	w6zp8hOmL9CmsjFe4Wux+xEiC42BBuLVU7LEhQG3+0mit2guH9FuGiVclu0HolkDOnik6jO6S4KDa
	ilUAE2PEzh1lSsIhjqmbrGg7Ytc7FW8qJuYteAQOF/WVKCeCRJI/OW8HSqoRNON7UVm1oUvoEkNPf
	jQNMTtw07VPOo9yWp+TYDHnVyYFYIQsyiu8MgaOr8rpV+J9NKp1sotKEZCA+J/F48c/89EmfI39qT
	BxeG2EidFq03GX3V8TjZ5JupMC/YsQGfkffFazFnmWWGuPT/HbZi5/X7YbJmDC4l2R42Z9ozmyQvA
	DT41Sd4seHVWBw==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon)
	by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.90_1)
	(envelope-from <ludo@gnu.org>)
	id 1qKIh0-0000NT-VM; Fri, 14 Jul 2023 09:18:43 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: "Frank Ch. Eigler" <fche@elastic.org>
Cc: "Frank Ch. Eigler" <fche@redhat.com>,  Overseers mailing list
 <overseers@sourceware.org>,  Mark Wielaard <mark@klomp.org>
Subject: Re: gitsigur for protecting git repo integrity
References: <ZIz4NB/AqWpSNj5d@elastic.org> <ZJ3Tihvu6GbOb8/R@elastic.org>
	<20230704083245.GB11693@gnu.wildebeest.org>
	<20230705182544.GF11693@gnu.wildebeest.org>
	<20230705200131.GI25859@redhat.com> <87ilar78lv.fsf@gnu.org>
	<ZKyAwM5x2DKGbeKm@elastic.org>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Sextidi 26 Messidor an 231 de la =?utf-8?Q?R=C3=A9vo?=
 =?utf-8?Q?lution=2C?= jour de
 la Sauge
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 14 Jul 2023 15:18:40 +0200
In-Reply-To: <ZKyAwM5x2DKGbeKm@elastic.org> (Frank Ch. Eigler's message of
	"Mon, 10 Jul 2023 18:05:52 -0400")
Message-ID: <874jm6y6kv.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <overseers.sourceware.org>

Hi Frank and all,

"Frank Ch. Eigler" <fche@elastic.org> skribis:

>> >>   My understanding is that gitsigur checks signatures against an
>> >>   out-of-band list of authorized keys, which isn=E2=80=99t very usefu=
l because
>> >>   the set of authorized committers changes over time.
>> >
>> > The list of authorized keys is stored in a selected branch
>>=20
>> If it=E2=80=99s in another branch than the code it=E2=80=99s about, how =
can you tell
>> whether a key was authorized at a given point in the commit history?
>
> You're talking about retrospectively verifying old commit signatures,
> rather than verifying eligilibity at the time of a push.

Both.  Assume a contributor has a genuine checkout; how do you ensure
that when they eventually run =E2=80=98git pull=E2=80=99 they can authentic=
ate their
updated checkout?  You need to somehow convey the updated set of
authorized committers to everyone who pulls from the repo.

This is what =E2=80=98guix git authenticate=E2=80=99 addresses.

> gitsigur at uses the "current" contents of the keymaster repo/branch
> for the list of public keys.  It could also look back in time, relying
> on that repo's commit timeline, to inspect the time-varying mapping.
> There is enough information there, so it's a SMOP.

=E2=80=9CSMOP=E2=80=9D?  I think info about the set of authorized keys shou=
ld be stored
in-band, in the repo.  If you maintain it out-of-band, then you can try
to match timelines as you write, but it=E2=80=99s just an approximation, it=
=E2=80=99s
unreliable (you cannot rely on timestamps in Git commits, for instance),
and it doesn=E2=80=99t work once you have multiple branches.

I think you should take a look at Sections 4 and 5 of
<https://arxiv.org/pdf/2206.14606v1.pdf>.  Maybe you=E2=80=99ll decide that
=E2=80=98guix git authenticate=E2=80=99 is unsuitable and maybe you=E2=80=
=99ll end up extending
gitsigur instead, but I think the discussion there is worth a look
because it=E2=80=99s about precisely what we=E2=80=99re discussing.

HTH!

Ludo=E2=80=99.