it's almost as if the entire notation regarding signed commits as a way of verifying authenticity is just a false premise.
-
it's almost as if the entire notation regarding signed commits as a way of verifying authenticity is just a false premise. I mean really, okay so you're saying they have your credentials to commit to a repository, but they can't suddenly get your GPG signing key? That you sign every commit so it would be unusual for you to commit unverified? Because I can tell you sometimes out of pure laziness I do not bother setting up my gpg keychain on a computer for certain git repositories.
-
mf even torvalds doesn't sign his commits like
-
I get it for signing packages that you've built right, that's understandable.
-
@puppygirlhornypost2 have never heard of anyone making the argument that “commits should be signed so theyre verified as authentic from the very same official remote that only the authentic contributors would have the credentials to push to” i feel like thats not even remotely what the motivation is
-
@[email protected] i have heard the argument so many times it's unbelievable
-
@puppygirlhornypost2 yeah like if you want git stuff signed sign the tags
-
@[email protected] it's mainly github users. since github shows the "unverified" and "verified" trying to encourage commit signing. so like, if an attacker has access to your github account with your organization access and everything else I'd be far more worried about that then them committing to my git repositories.
-
-
@[email protected] of course im bringing up arguments from a decade ago on tech forums where people were insufferable about everything and didn't actually work in industry so
-
@puppygirlhornypost2 doesnt it only flag unverified commits if you specifically turn on vigilant mode on your account? that feels perfectly reasonable to me
-
@[email protected] @[email protected]
the same people who say "you should disableroot
because it's dangerous!!! but also you should add your normal username tosudoers
" -
@[email protected] I don't remember enabling anything on my 3+ github accounts to show verified commit status. It could have changed in the past couple of years but I remember 5+ years ago it was just the default.
-
@puppygirlhornypost2 thats fair. i just think theres reasonable arguments to be made for signing commits and yet ive only ever seen points against it based on arguments about signing commits that ive never myself seen, so to me it just feels like a strawman but ill take your word on it that people have genuinely made this argument cause its by no means unbelievable!
-
@[email protected] @[email protected] me when i point out that giving access to su is just bad for everyone especially in combination with sudo. oh you want audits for things? sudo su now you can log into another user like also there's no way of disabling that without prohibiting root access to su so like
-
@[email protected] personally i think signed commits are whatever. i don't particularly care for them nor am i against them. if people want to sign their commits to make things more secure be my guest but this post was mainly made in response to a post i saw where github showed verified commits with expired keys.
-
@puppygirlhornypost2 i checked a repo and a friends unverified commits dont have that label but mine do cause i turned that on for whatever reason at some point, so it seems its a setting
-
@puppygirlhornypost2 @h also
if they have access to the account
they also have access to
to
change the keys used for verification in the profile
they can just add their own keys
and then commit using those
and those commits will be shown as verified anyway -
@[email protected] i just wanted to point out for the most part it doesn't matter. i mean, nothing is fool proof and certainly you may want to sign your commits depending on your threat model (especially since it's relatively easy to change your name and commit as someone else without signatures)
-
@[email protected] @[email protected] imo this is less plausible because typically developers have their keychains verified on third party key servers like MIT. People will notice it's not the usual keychain verifying the commits in that case (hopefully). I'd see it as more suspicious if someone made a new signing key for commits instead of just not signing commits.
-
@[email protected] @[email protected] like the entire point of su for me is to run things as another user i use it for service accounts all the time so it would defeat the point if i suddenly added passwords to my service accounts and had to verify the password through root
-
@puppygirlhornypost2 @h Well ig in the high-tier repos those will be verified so makes sense
Tho like Github doesn't really integrate with third party key servers I think? It just uses keys stored in the profile