Investigate push-signing and transparency logs as mitigation for repository attacks
For background see:
The idea here would be that some repositories (eg tor.git) could require signed pushes. Then we could archive these signed pushes in an append-only log, for auditing.
There are subproblems that would need to be solved for this to work:
- Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
- Allow signed pushes (requires setting certain options in gitconfig, see
- Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
- Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
- Decide what to do about key management.
- Make a tool that can be used at pull time to check the latest branch against the log.
There are also some sub-sub problems:
- Can we disable the merge button on target repositories?