Skip to content

GitLab

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Open
Created by Nick Mathewson@nickm🍓Developer

Investigate push-signing and transparency logs as mitigation for repository attacks

For background see:

The idea here would be that some repositories (eg tor.git) could require signed pushes. Then we could archive these signed pushes in an append-only log, for auditing.

There are subproblems that would need to be solved for this to work:

  • Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
  • Allow signed pushes (requires setting certain options in gitconfig, see certNonceSeed, certNonceSlop, and advertisePushOptions)
  • Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
  • Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
  • Decide what to do about key management.

And possibly:

  • Make a tool that can be used at pull time to check the latest branch against the log.

There are also some sub-sub problems:

  • Can we disable the merge button on target repositories?
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information