Jeffrey Walton wrote:
> You should probably mention commit signing
Why should we mention this? The Gnulib repository doesn't use signed commits.
And IMO it doesn't need to. Last time we discussed this, IIRC Simon noted
that enforcing signed commits hampers development by causing hassles to
the developers.
It is said that the attacks against which commit signing protects are the
following:
(1) Commit Spoofing (Author Impersonation)
Anyone can write a commit and set the --author field to any name and
email address, impersonating a trusted developer.
(2) An attacker submits code to a project (via PR) using a fake identity.
(3) In compromised or untrusted infrastructure, an attacker rewrites
commits or injects malicious code.
(4) Loss of Audit Trail
In regulated environments (e.g., in financial, medical, or defense
projects), it's critical to know who wrote what and when.
In Gnulib
(1) If this happens, the respective Gnulib developer surely will lose trust.
This doesn't even happen in the Linux kernel. Last time this appeared
to happen in Linux, it was a tooling bug.
(2) We accept contributions via patches sent over mailing lists. Signed
git commits wouldn't protect us against this attack.
(3) We rely on savannah being trusted infrastructure. I don't think it
makes sense to treat savannah like an untrustworthy hoster.
(4) GNU is not operating in a regulated environment.
In summary, signed commits would not be worth the hassles it causes.
Bruno
