From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id C3A734C8C9 for ; Wed, 6 Aug 2025 11:50:25 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 77D2E68BB4E; Wed, 6 Aug 2025 14:50:21 +0300 (EEST) Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 04F1F687D15 for ; Wed, 6 Aug 2025 14:50:14 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id DBFC143370 for ; Wed, 6 Aug 2025 11:50:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1754481014; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FdcmfWQx5aY6NlkoWsrhJ37DsFC9IPcuU0W/rI4cOS4=; b=TC++mPGMC1KYImWXpWRWTUC4IBWjsNY6ypHiTPS3ISZ7vwC73P1xueHaOSTZsN8guhMN0i LbzjAViLttB8L8raCjIT5D8cvZR3Lk9eUVIezw82WdZsr75PxLXBHXYmJJmApEs4240hCs rj+nGkA4BhkwPX9ayTa5ginnNr9JSOUgv2CBL85Ra24NXbbpYO8DokM/gnW7gtX7qiTPRl sB9gkGtt+kNSjKoQQI5QFcuYfTCid/ZhZvCsKjb2bsezUjERcT6WgVjKue7uLsZEJffoT7 OhAn0IfC/OU7FNL3ZMy0q9LLmopj7fD+mrakvRCbhMlMTHZqTAdeNKwnysQrCQ== Date: Wed, 6 Aug 2025 13:50:12 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250806115012.GX29660@pb2> References: <20250803153139.GC29660@pb2> <20250803190234.GE29660@pb2> <20250805223748.GV29660@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -70 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduudejleejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdeftddmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieehrddujeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieehrddujeeipdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0296579126282669284==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0296579126282669284== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="W1Zwp0dProLT85vt" Content-Disposition: inline --W1Zwp0dProLT85vt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi On Wed, Aug 06, 2025 at 08:51:01AM +0200, Alexander Strasser via ffmpeg-dev= el wrote: > On 2025-08-06 00:37 +0200, Michael Niedermayer wrote: > >=20 > > On Mon, Aug 04, 2025 at 10:15:53PM +0200, Alexander Strasser via ffmpeg= -devel wrote: > [...] > > >=20 > > > If I understand the original point you wanted to discuss correctly, > > > than this is not a question of rebase or merge but one of letting > > > **commits happen on the forge**. If it happens it bears the > > > possibility of modification on the server the forge is running on. > >=20 > > It is a question of rebase vs merge because > > if the forge generates a merge A+B and lets assume it tampers with it > > this is trivially detectable from nothing than just the git checkout > >=20 > > To detect it: > > just redo every merge that is not signed or that is signed by the forge= jo key > > the tree after it, either matches or it was very likely tampered with >=20 > That would require to redo each merge commit with exact meta. > If you only compare the tree contents, that wouldn't be necessary but is > a good bit less secure. more checking, is better, yes >=20 >=20 > > With rebases, detection is possible but more complex > > First you need not just the git checkout but every single pull request > > and exactly the last pushed one before the rebase and they need to have= been > > signed. > > Then you can redo all the rebases and verify that they have not been ta= mpered with > >=20 > > With the merge case the last pull requests are part of the git checkout= and > > signing is not critical because when something is part of a git checkout > > its just hard to tamper with it, the author might notice it mismatches >=20 > I agree it's easier to check with merges, but it doesn't sound like > something usual people would do. So would mostly only be relevant if > we set up something to double check. >=20 >=20 > IMHO we should not right now discuss and possibly change > workflow / branching model of FFmpeg. Right now we have enough in limbo, > so changing this too might be a bit too much at a time. >=20 > As you already mentioned there are other advantages to merging, so > it might make sense to bring it up again at some point. as long as the people take responsibility for their decission, iam perfectly fine with it. I just like to make it clear that the "on server rebase with no verificatio= n" is a community choice, not my choice. thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB it is not once nor twice but times without number that the same ideas make their appearance in the world. -- Aristotle --W1Zwp0dProLT85vt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaJNBcQAKCRBhHseHBAsP qxzcAJoDhKiGi7suEoyFgr9JjqcE+/DXCACgghQlTcpUVDHrDtLCiGvNw5FTi7w= =tYTy -----END PGP SIGNATURE----- --W1Zwp0dProLT85vt-- --===============0296579126282669284== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0296579126282669284==--