Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's a bit disappointing that a seemingly official project isn't using commit signing for verification and non-repudiation. It's open source, great! But it's also pretty massive (i.e. hard to review everything) and the chance of a bad actor sticking code in something so critical as tax filings.


Kinda. Since it's Public Domain, there's little to no use in signing the code, because they explicitly forfeited any rights to it.

Public Domain means you can legally take their code, riddle it with malware, and distribute, claiming that's the real and true Direct File source code, and you are its author. What you do with malware is a different legal issue of course.

So I'm not sure proving you are commit owner by signing it is really helpful if anyone can do it as well, and there's no copyright holder to decide who's right.


Copyright doesn't have anything to do with it, even remotely. I don't care who owns it or who claims to own it. But it may be useful to verify that the commit came from the government.


But how do you verify?

Let's say you see a green checkmark on GitHub that confirms the commit was really made by GitHub user @totally_legit_government_absolutely_not_hacker.

Unless you already have their public GPG key in your private keychain, and you marked it as "trusted" previously, there's not really much more info to that.

UPDATE: besides, the government is like a million people, some of them are malicious actors.


Setting aside malicious government employees, the authN part of this seems like something for which technical solutions exist. Governments could operate PKI trusts and link their employees’ development credentials (in the US, this would be a PIV card or something like it) to that certificate chain. Commits, or committer identity, could be signed via that chain. The dual security of “physical/secure individual credential signing via an available-on-internal-government-network-only authority”, with a public authority available for validation, seems like it would be so secure as to be … close enough for government work.


Yep, that would work. I just noted that current GitHub green checkmark doesn't really guarantee anything for the DirectFile repo.


You don't know what they used internally. There are two commits on github which just dump the code from whatever they used for version control for the past two years, and no further development will take place.


what could it really do though? any discrepancies will just be settled in an audit. of course, you are providing name, address, SSN, bank account info, but what malevolent entity doesn't already have that data about you anyways? besides, trust us, we're the government is good enough already! /s




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: