[
Date Prev][
Date Next][
Thread Prev][Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
|
Thank you, Matthias. My answers inline.
I'm glad you like it.
Some comments regarding securing of source code repositories:
Commit signing:
- important on git servers like GitHub and GitLab which have no means to prohibit forging of committer identities (supported in Gerrit).
- still a can of worms, see e.g. https://lobi.to/writes/wacksigning/
I think most promising is gitsign leveraging Sigstore infrastructure and push signing, though GitHub and GitLab don’t support it (Gerrit does).
Authenticating to git servers using short lived OAuth tokens (not long-lived personal access tokens) is possible with https://github.com/hickford/git-credential-oauth
I think we should encourage hardware keys for MFA, I started using yubikeys a couple of months ago and never looked back
I would welcome a policy that commits should use the real name of the contributor instead of an anonymous nick name which seems to be popular on GitHub.