From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 827764C52F for ; Sun, 3 Aug 2025 20:29:50 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 4503068C497; Sun, 3 Aug 2025 23:29:44 +0300 (EEST) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 2074D687C9E for ; Sun, 3 Aug 2025 23:29:37 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 772D844405 for ; Sun, 3 Aug 2025 20:29:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1754252976; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=RQO+egN/RE28nOS/gTpJcVrTsPciU/BmUn0lI7QntIM=; b=bnLsZxYXcidIN1bp/WnRZWbQcfsl3c1jasf0QlLEv35adci8/+1qyXxRtF1FQ/+9fq2tUG T0+ofjOVqhLn5HmDLjidMUhtfs/m/byEkSfqbVsEDyFd/cetJ8UldXcEfHDZ9RvJRzcWo6 dC8KWDhUe/QIt7cG5srv09lDQqEcX2C+bA350VM78LrpMQ5pCE4Fk3MvukYE6DCtv/poCG yVU6DI5jTb/8FPCP9pw1e7qwlBvYdwGiLhkvgI5GFe0AN/bkXW6OKIzdCjdIvdShm8tpbh KSNNdGdb8WeQHbuTOpPTTv086bsV2YIGgoVb7pyfHca1BY5JODfxnrro/jgBUA== Date: Sun, 3 Aug 2025 22:29:35 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250803202935.GG29660@pb2> References: <20250803153139.GC29660@pb2> <20250803190234.GE29660@pb2> <972d5668-a860-43dd-912a-11e579d1aca4@rothenpieler.org> MIME-Version: 1.0 In-Reply-To: <972d5668-a860-43dd-912a-11e579d1aca4@rothenpieler.org> X-GND-State: clean X-GND-Score: -85 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduuddtgeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeefkeehffetfeetvdekveeiffehkeduleejledvgfefkeejhfeuueehvddtfeduudenucffohhmrghinhepfhhorhhgvghjohdrohhrghenucfkphepgedurdeiiedrieehrddujeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieehrddujeeipdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============6531508942692868881==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============6531508942692868881== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="acTEGao3/jjR3U9h" Content-Disposition: inline --acTEGao3/jjR3U9h Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Timo On Sun, Aug 03, 2025 at 10:01:42PM +0200, Timo Rothenpieler wrote: > On 8/3/2025 9:02 PM, Michael Niedermayer wrote: > > Hi > >=20 > > On Sun, Aug 03, 2025 at 05:31:39PM +0200, Michael Niedermayer wrote: > > [...] > > > The solutions are obvious: > > > 1. ignore security and supply chain attacks > > > 2. use merges not rebases on the server > > > 3. rebase locally, use fast forward only > > > 4. verify on server rebases > >=20 > > Maybe not everyone understood the problem. So let me try a different > > explanation. Without any signatures. > >=20 > > In the ML workflow: (for simplicity we assume reviewer and commiter is = the same person) > > 1. someone posts a patch > > 2. patch is locally applied or rebased > > 3. commit is reviewed > > 4. commit is tested > > 5. commit is pushed > >=20 > > Here the only way to get bad code in, is through the reviewer > > If the reviewer doesnt miss anything and his setup is not compromised > > then what he pushes is teh reviewed code > >=20 > > if its manipulated after its pushed git should light up like a christme= ss tree > > on the next "git pull --rebase" > >=20 > >=20 > > With the rebase on webapp (gitlab or forgejo) workflow > > 1. someone posts a pull request > > 2. pr is reviewed > > 3. pr is approved > > 4. pr is rebased > > 5. pr is tested > > 6, pr is pushed > >=20 > > now here of course the same reviewer trust or compromised scenarios exi= st > > but we also have an extra one and that is the server > > because the server strips the signatures during rebase it can modify the > > commit. And this happens after review and because a rebase was litteral= ly > > requested by the reviewer its not likely to be noticed as something out= of > > place > If you as a pusher of commits want to sign them with your own key, you ha= ve > to do that manually. > There is no sane way for Forgjo to do that for you. yes > > I can configure Forgejo to sign commits it itself generates, that is an > option. is there a disadvantage ? > See here for how it can do it on merges. > https://forgejo.org/docs/latest/admin/advanced/signing/#pull-request-merg= es confusing, so many options >=20 > I think if I set it to "commitssigned", it'll check all commits in the PR > against the users configured GPG/SSH key, and if they are all valid, it'll > then sign them with the instance key whenever it needs to modify them for= an > operation. > "twofa" would also be an option, cause it indicates that the author of th= at > commit has some reasonably strong proof that they are them themselves. yeah, I have not thought deeply about it, they seem to want to indicate something by signing commmits. To me signing my commits primarly is a way to say the commit was not tamper= ed with after I signed it. thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Rewriting code that is poorly written but fully understood is good. Rewriting code that one doesnt understand is a sign that one is less smart than the original author, trying to rewrite it will not make it better. --acTEGao3/jjR3U9h Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaI/GrAAKCRBhHseHBAsP q36kAJ4uoey+Y5C3tLOC49jKI+uuIma95QCgh62QVra+j+jLOPZ9QhraRF/iFv4= =SU3h -----END PGP SIGNATURE----- --acTEGao3/jjR3U9h-- --===============6531508942692868881== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============6531508942692868881==--