Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upDistrusting GitHub interface PGP keys interface #3962
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Jun 6, 2018
Member
A bit of a continuation on #3958, another point I have noted where we don't distrust GitHub's infrastructure, specifically the interface, is PGP keys.
We are trusting GitHub to display the correct PGP key.
This is false. In no way do we (the Qubes team) trust GitHub with respect to PGP keys, signing, or encryption.
Other than manual checking, there is no way to confirm that GitHub is displaying the correct PGP key that the commit was signed as. Also, the PGP key shown may not be the same as the key the commit was actually signed with (ie GitHub could change the key signed with).
Of course we don't use or rely on GitHub's display of PGP keys or signing for anything.
This is false. In no way do we (the Qubes team) trust GitHub with respect to PGP keys, signing, or encryption.
Of course we don't use or rely on GitHub's display of PGP keys or signing for anything. |
andrewdavidwong
closed this
Jun 6, 2018
andrewdavidwong
added
the
notanissue
label
Jun 6, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
fosslinux
Jun 6, 2018
fosslinux
commented
Jun 6, 2018
•
edited
Edited 1 time
-
fosslinux
edited Jun 6, 2018 (most recent)
-
fosslinux
created Jun 6, 2018
edited
-
Jun 6, 2018 (most recent) -
Jun 6, 2018
|
@andrewdavidwong I think my post was not 100% clear. In no way did I mean
that the Qubes team trust GitHub. However, I am more concerned about people
who make pull requests, etc and that **Qubes contributors using GitHub may
unintentionally trust GitHub**. I would like to emphasize that I was not
talking about the Qubes team.
Basically, to phrase in a different way, is there any way that we can
reduce the trust Qubes contributors may unintentionally put in GitHub?
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Jun 7, 2018
Member
I think my post was not 100% clear. In no way did I mean
that the Qubes team trust GitHub. However, I am more concerned about people
who make pull requests, etc and that Qubes contributors using GitHub may
unintentionally trust GitHub. I would like to emphasize that I was not
talking about the Qubes team.Basically, to phrase in a different way, is there any way that we can
reduce the trust Qubes contributors may unintentionally put in GitHub?
Ultimately, this requires contributors to understand how PGP works so that they understand how trusting GitHub's representation of a verified signature is different from verifying the PGP signatures on tags and commits oneself on a trusted local machine using properly validated keys. We can aid this understanding by adding an appropriate explanation to our Verifying Signatures page.
Ultimately, this requires contributors to understand how PGP works so that they understand how trusting GitHub's representation of a verified signature is different from verifying the PGP signatures on tags and commits oneself on a trusted local machine using properly validated keys. We can aid this understanding by adding an appropriate explanation to our Verifying Signatures page. |
fosslinux commentedJun 6, 2018
A bit of a continuation on #3958, another point I have noted where we don't distrust GitHub's infrastructure, specifically the interface, is PGP keys.
We are trusting GitHub to display the correct PGP key. Other than manual checking, there is no way to confirm that GitHub is displaying the correct PGP key that the commit was signed as. Also, the PGP key shown may not be the same as the key the commit was actually signed with (ie GitHub could change the key signed with).