Protecting Mozilla’s GitHub Repositories from Malicious Modification (opens in new tab)

(blog.mozilla.org)

152 pointsjvehent7y ago54 comments

54 comments

16 comments · 2 top-level

throw283637y ago· 9 in thread

It is a shame that a lot of critical projects (including compilers, browsers...) still try to do things a la CVS/SVN (even if they use a DVCS).

Please, stop it. Do it the way the kernel does it. A hierarchy of maintainers that reviews the work sent by others and a single person with commit access to the main repository.

I am amazed that these smart people have not realizead yet that unrestricted commit access is simpy a no-go, with or without signed commits/tags.

Leace7y ago

Github lowers barriers to entry for a lot of people and I guess Mozilla likes that.

Compare creating a one line fix for a project on github and having a discussion and review to sending a properly formatted patch to a mailing list and following up on that.

I know that having properly configured mutt and git send-email eases most of these pains but not everyone uses mutt and browsers have better consistency between them than e-mail clients. You don't need to go through a guide to configure your browser to send patches and participate in a review (vs https://nanxiao.me/en/configure-thunderbird-to-send-patch-fr... ).

jopsen7y ago

It's also a balance... Most experimental researy projects don't need high security or high code quality. They just need to prove viability, etc..

u801e7y ago

> Compare creating a one line fix for a project on github and having a discussion and review to sending a properly formatted patch to a mailing list and following up on that.

For the former:

* Create a Github account

* Fork the repository

* Set up the new git remote

* Push to that remote

* Open the pull request

* Wait for notifications via email

* Go back to the webpage and find the comment

* Modify the code, add, commit, push, and type a comment

* Repeat

Versus

* Configure git to use one's ISP's email server

* Run git format-patch

* Run git send-email

* Check email for replies

* Amend the commit, run git format-patch, and git send-email

* Reply to the maintainer email

* Repeat

To reply to emails, you can use any email client or even do that in the browser. You only need to use the format-patch and send-email commands to send patches.

3 more replies

wongarsu7y ago

There is no proper tooling to support maintainer hierarchies beyond git itself, and most people would view it as a step backwards if a major open source project moved entirely to email.

I agree that letting everyone commit is a bad idea once you reach a certain size (though I prefer to limit commit rights to a group of code reviewers, which integrates nicely with github&co). But not every mozilla project has reached a size where the overhead is worth it.

nine_k7y ago

It depends on which kernel you mean!

https://www.freebsd.org/developers/cvs.html

https://cvsweb.openbsd.org/

Dragonfly and Illumos use git, though.

dpwm7y ago

It seems strange to me too. It's not just that, but I have seen more than once someone well-meaning person changing history and pushing it, causing problems for other maintainers. Git is a complex tool and as a result more complex actions tend to fall out of memory and tend towards copy-pasting from a Stack Overflow answer.

> A hierarchy of maintainers that reviews the work sent by others and a single person with commit access to the main repository.

This is surely the whole point of having a DCVS. You can just produce a request to pull and the person with push access can review it before it's committed.

3pt141597y ago

I completely agree.

Critical projects are used in self-driving cars now. It's time to grow up.

kyrra7y ago

Is this comment targeted at Mozilla? My understanding is that they fully host on Mercrual.

jvehentOP7y ago

Firefox and related code is on Mercurial, self-hosted, and mirror on GitHub. But Mozilla is a lot more than just Firefox, and tons of our applications, services, experiments and so on are hosted on GitHub.

Boulth7y ago· 5 in thread

> Production branches should be identified and configured:

> ...

> Require all commits to be GPG signed, using keys known in advance.

Is it possible to configure "all commits gpg signed" on Github? I haven't seen this option.

Another interesting thing that Github lacks is signed git pushes (`gpg push --signed`) that allows audit logging who moved which object to which ref.

masklinn7y ago

> Is it possible to configure "all commits gpg signed" on Github? I haven't seen this option.

Settings > Branches > [Add Rule] > <Apply Rule To> "*" > check "require signed commits".

At least according to the help text:

> Commits pushed to matching branches must have verified signatures.

3pt141597y ago

I've been signing my GPG commits for five years now.

The problem is that they don't allow GPG keys to be sunsetted. "Verified" should be a property on the commit, not something computed. If I replace my GPG key with something more secure, but I have no reason to believe my former GPG key was stolen, I should be able to keep trusting the other commits.

1 more reply

Boulth7y ago

Thank you!

ElBarto7y ago

Proposed code changes should in any case be reviewed, tested, then committed by someone with the right to do so (which should be a restricted right).

This is what really prevents malicious code changes.

Leace7y ago

Signed git pushes give you an opportunity to check if they really were "committed by someone with the right to do so". Without git push --signed you have to basically trust Github (which may be fine for most people's needs).

1 more reply

j / k navigate · click thread line to collapse

54 comments

16 comments · 2 top-level

throw283637y ago· 9 in thread

It is a shame that a lot of critical projects (including compilers, browsers...) still try to do things a la CVS/SVN (even if they use a DVCS).

Please, stop it. Do it the way the kernel does it. A hierarchy of maintainers that reviews the work sent by others and a single person with commit access to the main repository.

I am amazed that these smart people have not realizead yet that unrestricted commit access is simpy a no-go, with or without signed commits/tags.

Leace7y ago

Github lowers barriers to entry for a lot of people and I guess Mozilla likes that.

Compare creating a one line fix for a project on github and having a discussion and review to sending a properly formatted patch to a mailing list and following up on that.

jopsen7y ago

It's also a balance... Most experimental researy projects don't need high security or high code quality. They just need to prove viability, etc..

u801e7y ago

> Compare creating a one line fix for a project on github and having a discussion and review to sending a properly formatted patch to a mailing list and following up on that.

For the former:

* Create a Github account

* Fork the repository

* Set up the new git remote

* Push to that remote

* Open the pull request

* Wait for notifications via email

* Go back to the webpage and find the comment

* Modify the code, add, commit, push, and type a comment

* Repeat

Versus

* Configure git to use one's ISP's email server

* Run git format-patch

* Run git send-email

* Check email for replies

* Amend the commit, run git format-patch, and git send-email

* Reply to the maintainer email

* Repeat

To reply to emails, you can use any email client or even do that in the browser. You only need to use the format-patch and send-email commands to send patches.

3 more replies

wongarsu7y ago

There is no proper tooling to support maintainer hierarchies beyond git itself, and most people would view it as a step backwards if a major open source project moved entirely to email.

nine_k7y ago

It depends on which kernel you mean!

https://www.freebsd.org/developers/cvs.html

https://cvsweb.openbsd.org/

Dragonfly and Illumos use git, though.

dpwm7y ago

> A hierarchy of maintainers that reviews the work sent by others and a single person with commit access to the main repository.

This is surely the whole point of having a DCVS. You can just produce a request to pull and the person with push access can review it before it's committed.

3pt141597y ago

I completely agree.

Critical projects are used in self-driving cars now. It's time to grow up.

kyrra7y ago

Is this comment targeted at Mozilla? My understanding is that they fully host on Mercrual.

jvehentOP7y ago

Boulth7y ago· 5 in thread

> Production branches should be identified and configured:

> ...

> Require all commits to be GPG signed, using keys known in advance.

Is it possible to configure "all commits gpg signed" on Github? I haven't seen this option.

Another interesting thing that Github lacks is signed git pushes (`gpg push --signed`) that allows audit logging who moved which object to which ref.

masklinn7y ago

> Is it possible to configure "all commits gpg signed" on Github? I haven't seen this option.

Settings > Branches > [Add Rule] > <Apply Rule To> "*" > check "require signed commits".

At least according to the help text:

> Commits pushed to matching branches must have verified signatures.

3pt141597y ago

I've been signing my GPG commits for five years now.

1 more reply

Boulth7y ago

Thank you!

ElBarto7y ago

Proposed code changes should in any case be reviewed, tested, then committed by someone with the right to do so (which should be a restricted right).

This is what really prevents malicious code changes.

Leace7y ago

1 more reply

j / k navigate · click thread line to collapse