> plus a GitHub log showing that the authorship attribution hasn't been tampered with
Unless Github has some backup logs somewhere, that entire log can be wiped out and replaced with whatever someone wants with a simple `git push -f`.
Which is why it's so important to sign commits. You sign your commits, and keep your private key private, and as long as any copy of the repo exists anywhere you can access, you can prove authorship/ownership.
Commit signing is also very useful for vouching for code integrity.
You still can't prove authorship. You can prove that at some point you signed that particular commit. But I could easily take a repo including signed commits from you and rewrite and resign the commits with my own private key. This only works if the one doing the signing is a trusted third party.
That's a good point, but if you combine signing with an indelible timestamp, like one of the blockchain services or other trusted legal timestamping services, you'd be in pretty good shape.
I assume you're suggesting something like including such a timestamp in the commit message? If that's the case, that makes a lot of sense to me. It would be cool to have a tool to automate this. Or something like GitTorrent[0] might do the trick if it had wider adoption.
No, for this to work, you'd really need to timestamp either the git tree hash or (preferably) the hash of the GPG signature (or the signature itself).
Most timestamp service hashes are necessarily public (for trust reasons), so an attacker could grab one and go back and include it in his signed commit message.
But if you timestamp your commit hash (which is a cryptographic hash after all -- albeit an increasingly weak one) or timestamp the signed commit, then it can't be forged (since the attacker can't go back in time and use a cryptographically-verifiable timestamp, like the ones indelibly embedded in the blockchain).
Sorry, what I meant was to include a hash of the commit in a public blockchain and then attach this timestamp to the commit. So I think we're on the same page.
I assume GitHub has backup logs of all activity somewhere, if only to prevent the "Somebody guessed my GitHub password and replaced all my repositories with a README saying 'HAHA U BEEN PWNED!', please help!" situation.
Unless Github has some backup logs somewhere, that entire log can be wiped out and replaced with whatever someone wants with a simple `git push -f`.
Which is why it's so important to sign commits. You sign your commits, and keep your private key private, and as long as any copy of the repo exists anywhere you can access, you can prove authorship/ownership.
Commit signing is also very useful for vouching for code integrity.