Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Gitlab Gitlab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 14
    • Issues 14
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • External wiki
    • External wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • TPA
  • GitlabGitlab
  • Issues
  • #98
Closed
Open
Created Apr 19, 2021 by Nick Mathewson@nickm👁Developer

Investigate push-signing and transparency logs as mitigation for repository attacks

For background see:

  • https://people.kernel.org/monsieuricon/signed-git-pushes
  • https://korg.docs.kernel.org/gitolite/transparency-log.html

The idea here would be that some repositories (eg tor.git) could require signed pushes. Then we could archive these signed pushes in an append-only log, for auditing.

There are subproblems that would need to be solved for this to work:

  • Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
  • Allow signed pushes (requires setting certain options in gitconfig, see certNonceSeed, certNonceSlop, and advertisePushOptions)
  • Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
  • Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
  • Decide what to do about key management.

And possibly:

  • Make a tool that can be used at pull time to check the latest branch against the log.

There are also some sub-sub problems:

  • Can we disable the merge button on target repositories?
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking