Coordinated Security Audit for git. Contacts needed

Coordinated Security Audit for git. Contacts needed

[Amir Montazery]

Hello git maintainers,

The Open Source Technology Improvement Fund, Inc (https://ostif.org)
has put together a coalition of 18 security professionals and
researchers to conduct a holistic security review of git. The
objective of this email is to inform you of the effort and seek
collaboration.  We feel that the more we can engage and collaborate
with git maintainers, the more effective and impactful our security
review can be. An overview of the teams and work packages is as
follows:

Git Security Audit Work Packages:

Git source code review and threat modeling: This will be done by the
team at x41 d-sec with support from Gitlab reps.

Supply chain security / CI infrastructure review with Chainguard and
support from Gitlab.

A new setup of CodeQL for git with Xavier, Turbo and their team from Github.


We would love to collaborate to establish communication channels with
key maintainers. Would it be possible for one of us to join one of
your community meetings for 5 minutes? Or is there a key person we
should be engaging?


We thank you for maintaining a key and critical piece of software for
the open source community and beyond.

Thanks again,
Amir

-- 
Amir Montazery
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif

Re: Coordinated Security Audit for git. Contacts needed

[Junio C Hamano]

Amir Montazery <amir@ostif.org> writes:

> We would love to collaborate to establish communication channels with
> key maintainers. Would it be possible for one of us to join one of

We do not call people "maintainers", but "developers" and/or
"contributors".

> your community meetings for 5 minutes? Or is there a key person we
> should be engaging?

There is no "community meetings" other than the informal "stand-up"
irc discussion that is biweekly.  The log of the latest is at
https://colabti.org/irclogger/irclogger_log/git-devel?date=2022-07-18
but generally speaking we are not into "synchronous" communication.

You come to this mailing list and start talking, and that is how you
are heard by community members, which you're already doing fine ;-).

In case you are not familiar with Git, you can see output from

	git shortlog --no-merges -s -n --since=2.years | head

to see who have been the active contributors.

Thanks.

Re: Coordinated Security Audit for git. Contacts needed

[Amir Montazery]

Thank you for the reply and information Junio.

Apologies for the mixup. I thank the community members for your time
and consideration. If anyone is interested in providing some direction
or help with the source code review, supply chain security, or
customizing a new setup of CodeQL for git, please let me know. I
understand you're all likely very busy so we will keep it as brief as
possible. I can be reached at amir@ostif.org.

Thank you again. Hope everyone's summer is going well!


On Thu, Jul 21, 2022 at 12:47 PM Junio C Hamano <gitster@pobox.com> wrote:
>
> Amir Montazery <amir@ostif.org> writes:
>
> > We would love to collaborate to establish communication channels with
> > key maintainers. Would it be possible for one of us to join one of
>
> We do not call people "maintainers", but "developers" and/or
> "contributors".
>
> > your community meetings for 5 minutes? Or is there a key person we
> > should be engaging?
>
> There is no "community meetings" other than the informal "stand-up"
> irc discussion that is biweekly.  The log of the latest is at
> https://colabti.org/irclogger/irclogger_log/git-devel?date=2022-07-18
> but generally speaking we are not into "synchronous" communication.
>
> You come to this mailing list and start talking, and that is how you
> are heard by community members, which you're already doing fine ;-).
>
> In case you are not familiar with Git, you can see output from
>
>         git shortlog --no-merges -s -n --since=2.years | head
>
> to see who have been the active contributors.
>
> Thanks.
>


-- 
Amir Montazery
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif

Re: Coordinated Security Audit for git. Contacts needed

[Junio C Hamano]

Amir Montazery <amir@ostif.org> writes:

>> There is no "community meetings" other than the informal "stand-up"
>> irc discussion that is biweekly.  The log of the latest is at
>> https://colabti.org/irclogger/irclogger_log/git-devel?date=2022-07-18
>> but generally speaking we are not into "synchronous" communication.

The next one is on Aug 1st, it seems, according to https://tinyurl.com/gitCal

    The Git Standup is currently happening every two weeks at 18:00 UTC
    in the #git-devel channel on irc.libera.chat and its log can be
    found at https://j.mp/gitdevlog

Coming to it may be a good way to "get to know" some folks who work
on the project.

> ... If anyone is interested in providing some direction
> or help with the source code review, supply chain security, or
> customizing a new setup of CodeQL for git, please let me know.

All new code (with a small exception) go through the patch review on
this list, so reviewing patches posted here and archived at

    https://lore.kernel.org/git/

with special focus on the security aspect (which is the forte of
you folks) may be great.  A patchwork instance that captures the
traffic can be seen at

    https://patchwork.kernel.org/project/git/list/

I am not sure what the best place to start in auditing existing
codebase, though.

Even though linking with libraries that are unpatched for known
vulnerabilities and/or are compromised would be a problem for
end-users, because we as the project only make sourc releases and do
not make binary distribution, supply-chain issues may not be as big
an issue to the project.  Our friends at the "Git for Windows"
project does one for their platform, and may use your help in the
area, though.

Thanks.