[FFmpeg-devel] rebasing security

[Michael Niedermayer <michael@niedermayer.cc>]

[-- Attachment #1.1: Type: text/plain, Size: 1434 bytes --]

Hi

The "on server rebase" process that we are using with forgejo looks a bit insecure

Previously we wrote code, discussed and then signed and pushed
    In this setup the code coming from a developer is not manipulatable
    because noone else can sign it
    Even if its not signed, stuff would light up if the
    server suddenly changed your pushed commits, as local and
    remote would not match

The current workflow is to create a merge request and up to that we
are good.

The problem, the code is then sometimes rebased on the server, this removes
all signatures and allows arbitrary changes to happen. And that is, after
all reviews.

in the ML based system, a supply chain attack would have to hit author and
all reviewers.
With webapp rebasing a point after the reviews can introduce a change stealthy

The solutions are obvious:
1. ignore security and supply chain attacks
2. use merges not rebases on the server
3. rebase locally, use fast forward only
4. verify on server rebases

whats the oppinon of people about merging instead of rebasing ?
Theres also non security arguments in favor of merges:
    https://lkml.org/lkml/2008/2/12/627

That said, i think "verify on server rebases" is possible, just not
something i have heard off before.

am i missing something ?

thx

--
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".