Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: Signing Commits #569

Open
chadsr opened this issue Feb 29, 2024 · 1 comment
Open

Suggestion: Signing Commits #569

chadsr opened this issue Feb 29, 2024 · 1 comment

Comments

@chadsr
Copy link

chadsr commented Feb 29, 2024

Merely a suggestion / discussion point, so please don't take this as a criticism!

Has the Keystone firmware development team considered making signed commits mandatory for the firmware related repositories?

Since this is some pretty critical code, it would add some further re-assurance if the core developers were utilising GPG (Yubikey, etc) hardware keys to sign their commits, lowering the likelihood of a (compromised) developer compromising any of the code (accidentally or not).

Your team and code complexity are growing pretty rapidly, so managing these sorts of easy to solve "attack" surfaces earlier, rather than later can prevent bigger security headaches later on, in my opinion (and experience).

Curious what your thoughts on this are, or hearing more on what your current policy is.
@aaronisme
Copy link
Contributor

@chadsr Thanks for the advice we will look into that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaronisme @chadsr