From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 7429A4C830 for ; Tue, 5 Aug 2025 22:38:02 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 9FBED68C7E7; Wed, 6 Aug 2025 01:37:57 +0300 (EEST) Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 847806879E4 for ; Wed, 6 Aug 2025 01:37:50 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id C269A43284 for ; Tue, 5 Aug 2025 22:37:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1754433469; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=j5RYtFq+jr6M0myQ6BJvybYfq8ZrfYunCnJs8LgMpRI=; b=Tz13QKVw9fAIOKirCTo3Bl4vnILG3AidvNkLUn9OdkDZQS+j1MCbVg6ZVxToNBkpvnIv+e 5g8Z2Hph50gGkpuvi8HXIE2LghAhRUgATA71zeit3EitJU+lnwjFXB6Rx7RG/jzQS6im1r POkoflxRvR3LRvzCXiXMjWRWFSK8zF7wjyUMWiN+k/u0uOR41g1XTs+7+eTqTyuGkk194Q Nw6EhaCMb2ETyAyIHeuFy9IBK0+IgN6pwiraystrg7zaKok3Wz5ThYBhaV5WpHAEAqPcpp xYQ7y7G7c1UwbB7mvGXx5xHtB7Iq3VhTJZpEX5Ti8qxDcX9u/etBEeXZ9qoruw== Date: Wed, 6 Aug 2025 00:37:48 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250805223748.GV29660@pb2> References: <20250803153139.GC29660@pb2> <20250803190234.GE29660@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -70 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduudeifeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdeftddmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieehrddujeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieehrddujeeipdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============5249333379734145446==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============5249333379734145446== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lP2ddSVDJz1Dawt+" Content-Disposition: inline --lP2ddSVDJz1Dawt+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Alexander On Mon, Aug 04, 2025 at 10:15:53PM +0200, Alexander Strasser via ffmpeg-dev= el wrote: > Hi Michael, > hi all! >=20 > I think it's a good time to bring stuff like this up for discussion. >=20 > On 2025-08-03 21:02 +0200, Michael Niedermayer wrote: > >=20 > > On Sun, Aug 03, 2025 at 05:31:39PM +0200, Michael Niedermayer wrote: > > [...] > > > The solutions are obvious: > > > 1. ignore security and supply chain attacks > > > 2. use merges not rebases on the server > > > 3. rebase locally, use fast forward only > > > 4. verify on server rebases > >=20 > > Maybe not everyone understood the problem. So let me try a different > > explanation. Without any signatures. > >=20 > > In the ML workflow: (for simplicity we assume reviewer and commiter is = the same person) > > 1. someone posts a patch > > 2. patch is locally applied or rebased > > 3. commit is reviewed > > 4. commit is tested > > 5. commit is pushed > >=20 > > Here the only way to get bad code in, is through the reviewer > > If the reviewer doesnt miss anything and his setup is not compromised > > then what he pushes is teh reviewed code > >=20 > > if its manipulated after its pushed git should light up like a christme= ss tree > > on the next "git pull --rebase" > >=20 > >=20 > > With the rebase on webapp (gitlab or forgejo) workflow > > 1. someone posts a pull request > > 2. pr is reviewed > > 3. pr is approved > > 4. pr is rebased > > 5. pr is tested > > 6, pr is pushed > >=20 > > now here of course the same reviewer trust or compromised scenarios exi= st > > but we also have an extra one and that is the server > > because the server strips the signatures during rebase it can modify the > > commit. And this happens after review and because a rebase was litteral= ly > > requested by the reviewer its not likely to be noticed as something out= of > > place >=20 > If I understand the original point you wanted to discuss correctly, > than this is not a question of rebase or merge but one of letting > **commits happen on the forge**. If it happens it bears the > possibility of modification on the server the forge is running on. It is a question of rebase vs merge because if the forge generates a merge A+B and lets assume it tampers with it this is trivially detectable from nothing than just the git checkout To detect it: just redo every merge that is not signed or that is signed by the forgejo k= ey the tree after it, either matches or it was very likely tampered with With rebases, detection is possible but more complex First you need not just the git checkout but every single pull request and exactly the last pushed one before the rebase and they need to have been signed. Then you can redo all the rebases and verify that they have not been tamper= ed with With the merge case the last pull requests are part of the git checkout and signing is not critical because when something is part of a git checkout its just hard to tamper with it, the author might notice it mismatches thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Some Animals are More Equal Than Others. - George Orwell's book Animal Farm --lP2ddSVDJz1Dawt+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaJKHuQAKCRBhHseHBAsP q6YSAJ9X+ZDdIxZzwK/OuoNWHje8Ovsr+wCfXhQ4TK8yfHOIwHchu/g3ZEJKcbY= =PKGP -----END PGP SIGNATURE----- --lP2ddSVDJz1Dawt+-- --===============5249333379734145446== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============5249333379734145446==--