[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61277: FR: ELPA security - Restrict package builds to signed git com
From: |
Stefan Kangas |
Subject: |
bug#61277: FR: ELPA security - Restrict package builds to signed git commits |
Date: |
Sun, 12 Feb 2023 06:37:01 +0000 |
Richard Stallman <rms@gnu.org> writes:
> > In the case of a breach,
>
> Breach of precisely what? To think about this issue
> requires an answer to that question.
The idea is that the likelihood of both an SSH and a PGP key getting
stolen at the same time is lower than either one of them getting stolen
separately.
>
> both the SSH and GPG keys may be stolen, which
> > would allow an attacker to create commits on hosted repositories, such
> > that the mechanism would not help.
>
> Is this a problem that has a solution?
Yes, for example you could you could put your PGP key (usually a subkey)
on a smartcard, and have no copy on the local filesystem.
PGP keys usually also have an additional password, in addition to the
one that developers normally (we hope) use for their SSH key.
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Daniel Mendler, 2023/02/04
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Eli Zaretskii, 2023/02/07
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits,
Stefan Kangas <=
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Monnier, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/25