GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Previous Next

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sat, 4 Feb 2023 18:20:02 UTC

Severity: wishlist

Tags: security

Full log

Message #32 received at 61277 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: rms <at> gnu.org, Daniel Mendler <mail <at> daniel-mendler.de>
Cc: 61277 <at> debbugs.gnu.org, yantar92 <at> posteo.net, monnier <at> iro.umontreal.ca
Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed
 git commits
Date: Sun, 12 Feb 2023 06:37:01 +0000

Richard Stallman <rms <at> gnu.org> writes:

>   > In the case of a breach,
>
> Breach of precisely what?  To think about this issue
> requires an answer to that question.

The idea is that the likelihood of both an SSH and a PGP key getting
stolen at the same time is lower than either one of them getting stolen
separately.

>
>                              both the SSH and GPG keys may be stolen, which
>   > would allow an attacker to create commits on hosted repositories, such
>   > that the mechanism would not help.
>
> Is this a problem that has a solution?

Yes, for example you could you could put your PGP key (usually a subkey)
on a smartcard, and have no copy on the local filesystem.

PGP keys usually also have an additional password, in addition to the
one that developers normally (we hope) use for their SSH key.
This bug report was last modified 1 year and 286 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.