From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] rebasing security
Date: Sun, 3 Aug 2025 20:08:58 +0200
Message-ID: <20250803180858.GD29660@pb2> (raw)
In-Reply-To: <58fc1346-0f07-4f50-ac70-709d341b74a6@rothenpieler.org>
[-- Attachment #1.1: Type: text/plain, Size: 2430 bytes --]
Hi
On Sun, Aug 03, 2025 at 05:38:26PM +0200, Timo Rothenpieler wrote:
> On 8/3/2025 5:31 PM, Michael Niedermayer wrote:
> > Hi
> >
> > The "on server rebase" process that we are using with forgejo looks a bit insecure
> >
> > Previously we wrote code, discussed and then signed and pushed
> > In this setup the code coming from a developer is not manipulatable
> > because noone else can sign it
> > Even if its not signed, stuff would light up if the
> > server suddenly changed your pushed commits, as local and
> > remote would not match
> >
> > The current workflow is to create a merge request and up to that we
> > are good.
> >
> > The problem, the code is then sometimes rebased on the server, this removes
> > all signatures and allows arbitrary changes to happen. And that is, after
> > all reviews.
> >
> > in the ML based system, a supply chain attack would have to hit author and
> > all reviewers.
> > With webapp rebasing a point after the reviews can introduce a change stealthy
> >
> > The solutions are obvious:
> > 1. ignore security and supply chain attacks
> > 2. use merges not rebases on the server
> > 3. rebase locally, use fast forward only
> > 4. verify on server rebases
> >
> > whats the oppinon of people about merging instead of rebasing ?
> > Theres also non security arguments in favor of merges:
> > https://lkml.org/lkml/2008/2/12/627
> >
> > That said, i think "verify on server rebases" is possible, just not
> > something i have heard off before.
> >
> > am i missing something ?
> >
> > thx
> >
>
> I can change the setting from "Rebase and merge to FF Only", though that
> would be very tedious to deal with for everyone involved.
that would be "3." in my list and yes it would be tedious, I think the main
question is about the 2./4. options (or if iam missing something)
>
> Forgejo can keep commit signatures intact if proper keys are configured for
> the users.
Forgejo certainly should have its own key to sign commits it generates.
But it cannot have any individual developers private key.
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-08-03 18:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-03 15:31 Michael Niedermayer
2025-08-03 15:38 ` Timo Rothenpieler
2025-08-03 15:43 ` James Almer
2025-08-03 18:08 ` Michael Niedermayer [this message]
2025-08-03 19:02 ` Michael Niedermayer
2025-08-03 20:01 ` Timo Rothenpieler
2025-08-03 20:29 ` Michael Niedermayer
2025-08-03 20:34 ` Timo Rothenpieler
2025-08-04 20:15 ` Alexander Strasser via ffmpeg-devel
2025-08-04 21:36 ` Marton Balint
2025-08-05 3:06 ` Kacper Michajlow
2025-08-05 3:18 ` Kacper Michajlow
2025-08-05 4:05 ` Jacob Lifshay
2025-08-05 22:18 ` Alexander Strasser via ffmpeg-devel
2025-08-12 17:04 ` Marton Balint
2025-08-12 17:26 ` Timo Rothenpieler
2025-08-05 22:37 ` Michael Niedermayer
2025-08-06 6:51 ` Alexander Strasser via ffmpeg-devel
2025-08-06 11:50 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250803180858.GD29660@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git