From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 1CD264C4EF for ; Sun, 3 Aug 2025 19:02:47 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id F08A868CAEF; Sun, 3 Aug 2025 22:02:43 +0300 (EEST) Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 1632768C1B2 for ; Sun, 3 Aug 2025 22:02:37 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 25BBB44379 for ; Sun, 3 Aug 2025 19:02:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1754247756; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8gNASxW/fW9Px0iGN/w0lXThhPGMLBjPx72vaXhlNSc=; b=YB0winlLrr69GGy2H9sFl8Dldp8cxIfB+WG0XzE6qd5p0L90JfeNWy2GNk2ocQzHMZjajD ZYVHdA43yiSNZTJen81ytnfwwhHZo4UWjX0mw0AClnTWKCB8ap1NBLMvMIqi6zibAK6Lxn EyIsuu8r+5UwqDd45xFjulIj5UPL7t0PzSO2u5G9SLFSDO6MfLGTuF04XmIkVhG9HPUF0m NhhFmwEPMSB0Bdnjnz+y0Ar6WNcAAmvkApQnolaQbI6QRYMbEQAbVrLdtIh9j/KaqxbI7G l7pKaxaX6ts9TIbmvXRBD+kRklagXvMw2iJcoRg8D9khQzBAp8/qVRQKKONXIg== Date: Sun, 3 Aug 2025 21:02:34 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250803190234.GE29660@pb2> References: <20250803153139.GC29660@pb2> MIME-Version: 1.0 In-Reply-To: <20250803153139.GC29660@pb2> X-GND-State: clean X-GND-Score: -70 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduuddtvdegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdeftddmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieehrddujeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieehrddujeeipdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============3849525979372628512==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============3849525979372628512== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="q/Ey9J2N1LapX40F" Content-Disposition: inline --q/Ey9J2N1LapX40F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi On Sun, Aug 03, 2025 at 05:31:39PM +0200, Michael Niedermayer wrote: [...] > The solutions are obvious: > 1. ignore security and supply chain attacks > 2. use merges not rebases on the server > 3. rebase locally, use fast forward only > 4. verify on server rebases Maybe not everyone understood the problem. So let me try a different explanation. Without any signatures. In the ML workflow: (for simplicity we assume reviewer and commiter is the = same person) 1. someone posts a patch 2. patch is locally applied or rebased 3. commit is reviewed 4. commit is tested 5. commit is pushed Here the only way to get bad code in, is through the reviewer If the reviewer doesnt miss anything and his setup is not compromised then what he pushes is teh reviewed code if its manipulated after its pushed git should light up like a christmess t= ree on the next "git pull --rebase" With the rebase on webapp (gitlab or forgejo) workflow 1. someone posts a pull request 2. pr is reviewed 3. pr is approved 4. pr is rebased 5. pr is tested 6, pr is pushed now here of course the same reviewer trust or compromised scenarios exist but we also have an extra one and that is the server because the server strips the signatures during rebase it can modify the commit. And this happens after review and because a rebase was litterally requested by the reviewer its not likely to be noticed as something out of place thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB When you are offended at any man's fault, turn to yourself and study your own failings. Then you will forget your anger. -- Epictetus --q/Ey9J2N1LapX40F Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaI+yRgAKCRBhHseHBAsP q/FuAJ49XEmXyyLmhJFotORXOEkX5+gsygCfaQudO1riAr5d72Gu8vm+XlVAFaM= =usG3 -----END PGP SIGNATURE----- --q/Ey9J2N1LapX40F-- --===============3849525979372628512== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============3849525979372628512==--