master branch protection

[trishankatdatadog]

For the master branch, could we:

• require signed commits?
• require >=2 reviews?

[joshuagl]

Agreed that requiring >= 2 reviews, as in the specification repo, is a good idea.

We don't require signed commits anywhere else, are you suggesting we should? I'm not opposed, just trying to clarify.

[trishankatdatadog]

We don't require signed commits anywhere else, are you suggesting we should? I'm not opposed, just trying to clarify.

Might be a good idea to require 2FA, signed commits, and >= 2 reviews on all of our repos.

[joshuagl]

Completely agree with 2FA and >=2 reviews.

I'm wary about requiring signed commits, because managing GPG keys without a security token is not something I feel comfortable asking folks to do.

What would be the value of signed commits? Would we still get that value from maintainers signing their commits?
We could suggest for signed commits from all contributors and expect it from our maintainers (who I think all have YubiKeys).

[trishankatdatadog]

What would be the value of signed commits? Would we still get that value from maintainers signing their commits?

Although 2FA reduces the risk of unauthorized commits from maintainers, signed commits reduce that risk even further. The threat model is rather specific, but I think it's especially valuable for our project.

We could suggest for signed commits from all contributors and expect it from our maintainers (who I think all have YubiKeys).

Agreed, but it's hard to enforce this. One thing we can do is require signed commits, and use GitHub's automatic signing of merges.

[joshuagl]

What would be the value of signed commits? Would we still get that value from maintainers signing their commits?

Although 2FA reduces the risk of unauthorized commits from maintainers, signed commits reduce that risk even further. The threat model is rather specific, but I think it's especially valuable for our project.

My original comment should have read "Would we still get that value from only maintainers signing their commits"? To which, I think you're answering no?

I think it's worth pointing out that requiring signed commits places an additional barrier in the way of potential new contributors. That barrier may be an acceptable price to pay, given the nature of our project.

Do we need a TUF contributors key signing party in the post-pandemic era?

[trishankatdatadog]

My original comment should have read "Would we still get that value from only maintainers signing their commits"? To which, I think you're answering no?

I think so, yes, if at least for optics. If we talk about nation-state attacks, then we must take things seriously by signing our own commits, but that's just my 0.02 BTC.

I think it's worth pointing out that requiring signed commits places an additional barrier in the way of potential new contributors. That barrier may be an acceptable price to pay, given the nature of our project.

It certainly does place an additional barrier. One way we can solve the problem is by getting GitHub to automatically sign a PR that squashes all the commits from the web site. (Someone correct me if I'm wrong here.) It's much less valuable for contributors to sign their commits, because we can never be certain who they and what their intent really are, so it's on us to thoroughly vet their contributions.

Do we need a TUF contributors key signing party in the post-pandemic era?

🎉