reply on: I Effed around and Found out about Openclaw so You Don't Have to \ stacker news

pull down to refresh

88 sats \ 5 replies \ @optimism 10 Feb \ parent \ on: I Effed around and Found out about Openclaw so You Don't Have to AI

Over the weekend, I noticed something malicious on some of our github repos I didn't do, was done as me... very sneaky too, it edited a legit commit by me, only tell was the suspicious timestamp causing me to look at the diff.

That's crazy!!! Do you pgp sign your commits?

241 sats \ 4 replies \ @justin_shocknet 10 Feb

No, we've been pretty low profile, and most of the repos are private... but with the open stuff like Pub and Wallet gaining traction and handling more and more funds I need to implement vigilance signatures.

Was pretty burnt already when this happened. Been a long stretch trying to tie a bunch of big (and critical) features out the door on top of bug fighting... so taking a few days to live in the meatspace a bit and will come back at it with fresh eyes.

The github outage yesterday really sent me into a spin, for a moment thought we were under attack again. Trying to avoid the temptation to self-host git and actions runners altogether.

62 sats \ 3 replies \ @optimism 10 Feb

Yeah I get that. I have many private repos where I have commit signing off. On the public ones it's mandatory, simply because ownership is a must - it's more a precaution / nonrepudiation thing.

I self-host for private, but not public repos. Wouldn't recommend self-hosting public repos either, because it mostly just means more attack surface to worry about.

145 sats \ 2 replies \ @028559d218 10 Feb

Maybe I'm making assumptions...
But isn't PGP-signing commits especially Bitcoin software... like basically mandatory? Your PGP key is basically who you are on the internet.

62 sats \ 0 replies \ @optimism 11 Feb

Your PGP key is basically who you are on the internet.

Not really.. It's just a cryptographic key. They expire, get lost, get stolen... so it's not "your identity".

For large public-facing repos it's unwise to rely on every individual contributor's security, so you don't build a process around that because if the process fails with one contributor leaking their keys, you're screwed. Instead you:

Have pgp sigs on merge commits and tags
Validate these
Always be vigilant

If you have an active community, issues will be spotted. If you don't, you have to do the work yourself.

166 sats \ 0 replies \ @justin_shocknet 11 Feb

We use SSH that verifies in the same way, PGP wouldn't have changed anything, a botched branch rule on one repo was the gap in preventing the push at all ... and vigilance mode would have flagged it more visibly

We don't distribute binaries that would need a signed hash