From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] rebasing security
Date: Sun, 3 Aug 2025 21:02:34 +0200
Message-ID: <20250803190234.GE29660@pb2> (raw)
In-Reply-To: <20250803153139.GC29660@pb2>
[-- Attachment #1.1: Type: text/plain, Size: 1685 bytes --]
Hi
On Sun, Aug 03, 2025 at 05:31:39PM +0200, Michael Niedermayer wrote:
[...]
> The solutions are obvious:
> 1. ignore security and supply chain attacks
> 2. use merges not rebases on the server
> 3. rebase locally, use fast forward only
> 4. verify on server rebases
Maybe not everyone understood the problem. So let me try a different
explanation. Without any signatures.
In the ML workflow: (for simplicity we assume reviewer and commiter is the same person)
1. someone posts a patch
2. patch is locally applied or rebased
3. commit is reviewed
4. commit is tested
5. commit is pushed
Here the only way to get bad code in, is through the reviewer
If the reviewer doesnt miss anything and his setup is not compromised
then what he pushes is teh reviewed code
if its manipulated after its pushed git should light up like a christmess tree
on the next "git pull --rebase"
With the rebase on webapp (gitlab or forgejo) workflow
1. someone posts a pull request
2. pr is reviewed
3. pr is approved
4. pr is rebased
5. pr is tested
6, pr is pushed
now here of course the same reviewer trust or compromised scenarios exist
but we also have an extra one and that is the server
because the server strips the signatures during rebase it can modify the
commit. And this happens after review and because a rebase was litterally
requested by the reviewer its not likely to be noticed as something out of
place
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-08-03 19:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-03 15:31 Michael Niedermayer
2025-08-03 15:38 ` Timo Rothenpieler
2025-08-03 15:43 ` James Almer
2025-08-03 18:08 ` Michael Niedermayer
2025-08-03 19:02 ` Michael Niedermayer [this message]
2025-08-03 20:01 ` Timo Rothenpieler
2025-08-03 20:29 ` Michael Niedermayer
2025-08-03 20:34 ` Timo Rothenpieler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250803190234.GE29660@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git