On Sun, Mar 31, 2024 at 08:16:33AM +0200, Lucas Nussbaum wrote: > On 29/03/24 at 23:29 -0700, Russ Allbery wrote: > > This is why I am somewhat skeptical that forcing everything into Git > > commits is as much of a benefit as people are hoping. This particular > > attacker thought it was better to avoid the Git repository, so that is > > evidence in support of that approach, and it's certainly more helpful, > > once you know something bad has happened, to be able to use all the Git > > tools to figure out exactly what happened. But I'm not sure we're fully > > accounting for the fact that tags can be moved, branches can be > > force-pushed, and if the Git repository is somewhere other than GitHub, > > the malicious possibilities are even broader. > > I wonder if Software Heritage could help with that part?
Yeah (provided that archival happens at the right moment) you can use Software Heritage APIs to detect, for instance, git history rewrites as and also commits moving from one branch/tag to another. It occurs to me that in the Guix/Nix packaging model, where they note down the commit of interest in their packaging recipe, you'll also automatically discover if a commit disappeared from upstream repo without needing a lot of extra tooling/integration (although not if it has moved between branches). However, you need a backup place to retrieve the commit from in case it disappear or gets rewritten upstream (Guix uses Software Heritage for this). Cheers -- Stefano Zacchiroli . z...@upsilon.cc . https://upsilon.cc/zack _. ^ ._ Full professor of Computer Science o o o \/|V|\/ Télécom Paris, Polytechnic Institute of Paris o o o </> <\> Co-founder & CTO Software Heritage o o o o /\|^|/\ https://twitter.com/zacchiro . https://mastodon.xyz/@zacchiro '" V "'
