|
|
|
|
|
|
by Kalium
2942 days ago
|
|
|
OK. Let's not talk about potential threats. That's the language of fear, control, and paralysis. It's the language of liars and demagogues and exaggerations. Let's talk about risks and goals. The language of opportunities. An approach of `curl | bash` takes a needless amount of risk to accomplish its goals. It can do far too many things, of which it actually needs to do a small subset. It offers a lot of opportunity for bad things to happen to seize the opportunity for the things we want. Maybe there are ways to do the same things, to get the same ends, without taking on so much risk. How do you feel about this subject? |
|
|
The happy path is that you have some code to share and I want to get it exactly as you wrote it.
Right now the current issues with just using GitHub to share your code are the following:
1. GitHub app gets hacked and let's someone else do a commit (like the rails hack mentioned above).
2. GitHub employee modifies files in prod servers.
3. GitHub cloud provider gets hacked
4. State actor with lots of resources MITM GitHub.com domain and internet traffic and you fetch something else.
I think all this problems could be solved if:
1. Git enforces that all commits must be signed.
2. There is a decentralized list of usernames and keys.
This feature doesn't exists in git but it would be great if you could run `git clone` and it rejects the cloning if not all commits and tags has been signed.
But what If someone hacked GitHub to add a commit and she or he signed the commit. We need some kind of CA to only accept signed commits from the right people.
So there should be a fixed list of committers allowed in the repo and git would have to enforce that as well.
Then you have the problem that if all public keys are stored in GitHub then you almost get back to all the problems again of GitHub getting hacked. It would be great to have as many copies of usernames and public keys as possible. Something like a blockchain would be a good fit.
To recap, by having a decentralized system of users and public keys, and making git validate that the commits are signed and from the right people, we could have a much more reliable way of sharing code.
Additionally, we could have an "audit" system on top of all this were users can review code and mark it as "good". Then if you have a repo with a tagged version that has 5 reviews you can hope that it's pretty safe to run that version. Because it's a single system of usernames, you can check who are the reviewers.
It might be a bad idea to `curl | bash` a script from an stranger but at least you remove the risks of your code being delivered by a third party.