Investigate push-signing and transparency logs as mitigation for repository attacks
For background see:
- https://people.kernel.org/monsieuricon/signed-git-pushes
- https://korg.docs.kernel.org/gitolite/transparency-log.html
The idea here would be that some repositories (eg tor.git) could require signed pushes. Then we could archive these signed pushes in an append-only log, for auditing.
There are subproblems that would need to be solved for this to work:
- Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
- Allow signed pushes (requires setting certain options in gitconfig, see
certNonceSeed,certNonceSlop, andadvertisePushOptions) - Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
- Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
- Decide what to do about key management.
And possibly:
- Make a tool that can be used at pull time to check the latest branch against the log.
There are also some sub-sub problems:
- Can we disable the merge button on target repositories?
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information