gitsign VS gittuf

> does it also filter/escape ANSI Sequences in messages and author names?

Not at present! Do you have a link or so I could use to familiarize myself? I'm curious if it'd fall within gittuf's scope.

> does it block garbage collection?

Nope, it doesn't. That said, the repository will have more objects, gittuf tracks additional objects through custom refs in `refs/gittuf/`.

> how do you ensure that the developers are really the developers and there's no spoofing?

At present, gittuf policies use signing keys. It doesn't rely on the commit metadata for author and committer but rather the commit's signature. We support GPG and Sigstore's gitsign [0] right now, and we want to support other signing mechanisms like SSH keys as well.

[0] https://github.com/sigstore/gitsign

You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.

(disclosure: I'm a maintainer for gitsign)

Def check out the gitsign project mentioned in the post: https://github.com/sigstore/gitsign

Gitsign offers a keyless commit signing implementation based on OIDC, which is an identity layer built on top of the OAuth 2.0 framework. Gitsign supports verifying your identity either through GitHub, Microsoft, or a Google account.

Shameless plug for the gitsign project in sigstore: https://github.com/sigstore/gitsign

This isn't supported by GitHub yet but we're hopefully working towards that too.

We used to actually run an RFC3161 timestamp server in addition to the transparency log but recently turned it down because no one was using it. I'd like to bring it back for stuff like this.

https://github.com/sigstore/gitsign/issues/22

It actually does but it's very much in alpha/active development (under the umbrella of OpenSSF with the intent of being integrated into mainline git eventually).

https://github.com/gittuf/gittuf

Hey Will, thanks!

The paper is from quite a few years ago now and the reference is for a subset of gittuf's threat model, specifically the metadata manipulation / reference state attacks. The paper talks about MITM as one way to carry out a ref state attack, but if you're communicating with a compromised repository, you can be a victim of such an attack even if you're using authenticated transport and using signed commits / tags that you have a way of verifying.

We do have a threat model for gittuf that we've been meaning to add [0] to the design doc. I'll try and get that done today. It should probably be in there before we tag our alpha release. :)

[0] https://github.com/gittuf/gittuf/issues/95