From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id EF1294C872 for ; Wed, 6 Aug 2025 06:51:14 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 76CA568C30D; Wed, 6 Aug 2025 09:51:10 +0300 (EEST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 776C568BC2E for ; Wed, 6 Aug 2025 09:51:03 +0300 (EEST) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from metallschleim.local ([91.62.6.9]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N5mKP-1uY0I136nT-015ddm for ; Wed, 06 Aug 2025 08:51:02 +0200 Date: Wed, 6 Aug 2025 08:51:01 +0200 To: FFmpeg development discussions and patches Message-ID: References: <20250803153139.GC29660@pb2> <20250803190234.GE29660@pb2> <20250805223748.GV29660@pb2> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20250805223748.GV29660@pb2> X-Provags-ID: V03:K1:BZVXkoLgXt1Xcg8GwAnHKAY1HJVKawgCaK2D3/PNcdr8C0h+Its W+ayBb/lvHRSlA8nWj6ThL4frliBnOYRVk3lhxwaxJk9o/JtgqwSUpUJ4oEiG21ENHY2/e4 xaMX3vT0CmYoLZNXZCGhoDDVJ9wRUiO8pf83s2zw7aZLayXL59OnbOH5Z+00d24DXMXr2YD Yk6r5Vz/h3MjoK0V2mheA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:BRk74ZQbHHg=;1z6M/lYpo2thuzpiNVUL9Y6u3Q8 Oyy9VJ+4WSmd9I6yTW8AsV8T38Sy+q0qb5uPai6byAG+8T/Ut7ksBHMnjE9HYnTQQSn9EnR1h OEVHYl47fcVDkwUUdhpcn3ff7KPpA9Av1eEN3I1/WNk4D8/7ZqycrghaKEj8MmbCt7EY+SfXQ h8jygZsPuoD7wH0gbc+4OhvfA31+h89hfgvezdQulfi4UmNB2cWG8hW84UBPKYWvwAoe3zKTQ DkDr9tXW+3sIACp/NR2HOwjW40c9RTKhXKJSFyGmY95keeiDzJaB1bhJ76lBFDWM8FoVU2KwU 9S9jFxYQKFAdFQ7eT6V4wFp5QIhxqLyGt2UlCaWo10mNuRHC5Q9HtPZkOqZds2DaYX2R1SOTX mlchnOTbq7D+9BxWtCChcV0FxMBw4JtNwH9HUhJ6gXNnVxyfzinclC3JDYRTeBaFaoUlHDxf7 f2biSF4cAgwB9sIs1KNe4x7HxrIOHjhg0ce7B9BchL1xShcWVMQoGQUJKZjMkVWfVznCFN+fp LSd4oyIxqhEUF+ZM2r5snB2N8XzhCT/ziUK+NgVVeDBilqMPoWcOMPJSymzsOvce8FLnoILi/ ITgu6W0do0ohEzq+drRryYbFcnr7ASs0uSFSVAcLCJktHyJDv3meJ9mVRsHbhbFeVetMAQlJg 7sFqE+02jrP/NJzbjlaFCz1WeOzOE9KUdwkHrfgMEhe6m9+9yQWBa1mbnWVvYYi/1MiXkVbAh HBl7xdP61XSN2YeqExfTJ6QPb1jHxn9fBmEDydsB2hPk+gNppWhbk4erGOboM17tTFnSh+E0+ L+FZd7wv7wpFsgSsN9muyuua4B1OijyYbOUQHDuq0uvmJK5ATsiFuikzyQYHBvdLxGgPJ/zwo O0Xp47qu8Elir7dE71I1NqnXXcUFgacyj/B9HRyTDc5jYYkM9OOmIy3n9c1NXKnEZq1VirVS1 CEJhGyu2nbxMSq36Eh/kjg2LqYPFOXV5mg43WSJLvq0B/3tQHzv+X3kGosyS9UDair7bSMaPK 4RSoNBc88kkD0nfZOIkVQJq4ubbgsvAIRXOAc+wFM2qEFJLr8J9YnDNt9OdFA4bBI3qb/dB8f Tlau+0EtK9qRpKGiH2Cb14ebsb960JItuLDSKp4Lp4JgvBUUuwUY73AiETn9eY3mQ8vbjGDQd R8L+tVwxWGN62wd8c8NX/Q+/rCDZ7Msx7oPl5ry+bJhTACT1FXutNIsf8MWqU7SrxQOvC6otk BnrDgLDYwu2TQIaXMTo99NVJidP6nurYP2KZIAR40U2HIS5MTrxqy+pwxGnWmEUbP9+gibl00 l9UGRA0rxGvy55tzd/r2TQcNv2YaITnSdxPvzWTP3MLR2Dm7PT26zT20UA2S7v0IKQt0+V7j4 TykGgToPavy3lfWItUUvl0LKObVFiH4uOSZI/Y9qTo+C97iRoEMWdAnJJIWQ+4qUnRrDAPb2R Nnfq2CDSBVtZ5GTW5kol/IxQCXd4cZ+uOnRkvr0R7Z4ju5f4aYQCBZKL/OJpZPJUyd0CB9geJ pC3llzHz6ZyqaDW2R7VK4vAs677Hl+06U7/xl/B2TxcmaDfGqSGUGq0l1KtJoOMapaCsOX58Y x6ss4KSXrk+/2W5bNm8i5Hu/AjdSVjsd0pWeHPpTFOPl86P6P/bTaVBIcx1ycu4+uSdFXnbCB nY9VUgFQ4bxU4s5UlbtTsPAPKlnRzL0e0O1zNNpbti9aWgWcPOCqHbOaZTa3QaK3HKR72E0g/ QjUAmZDig6VQEcUzuPd3aLeQWcfOGUrAWM7C1JDvNk6+LCfg0goDbbdAo+4TqJVN1KHyKsr9s axuBL8ewR2PrFfaAoz7O+bPT2QlphxMqs01hRkQH4Z/1NBruRSFsDJQ7GDHjySZUBPA/Nrllf zSfc7vt5dUqsVejW0PksNlIn2VRPFMyFxNgnmRw2HQwDKfrrtRI+SMK0RuOWf4e/OGlijD3Ht Sf/yreYMODaNMQtCM9nv3WfJzp0jygMmt24J1ptBeEYcQokFC3+VEiIuriLy4lx5oxYPUfAF8 mP1GhkK3vJJ2CdMupWuEWJLRBmg/Gg1rXaygJDmvAVVBT0yaHXT3CxYP+n7Smz4N1rBqfSZP0 qeVX1B8xtHz11bXBfcUCmOb+UK4pd4ILxCksMIiQAlab76I8co6RcacdFejT8DNqDUk+C85DW W/JVLzTmeHO0rTPJd9Nw3o6WJkxTtogl6RBsNetxJ1gSXteYmao8DhpUv4n7GEfrccT51O6E/ 2XUBXefKhxvyyL1fT2NkMys9E6e4ukmFZeN8KD9MtUS6KVuPXIfmkwBhoUzjdxxISsvCPFLzc LQkhX0VerybrtdjTfk0DJQmYsdwxfiZgwFAJiaGHjHW6b0hzDWsJGYgOu9E/ODgZx0fGVGyJ+ EoVHoYtAVoDVkFJWjPJdS2z+KAh4phsipyWtMbjyS1AhjwK6ZMsVC4GuwYHLho4uZrSOBBmAM ZUe1hYoC5rL15vwPB82QgxMFBxwlYoehX9fJxHA/pAiNaUn14Z+9MeNVBzqj6pg/ET2CzFTc9 9t43cB3caDJKkIj2OyvSd7Y/jGOlTtsdDjQbwVqdY3qULbbAUbkUCP61k8LYG6gs77MWJqers qbBjwWulOzpHKuUR1noiGMMaKrQsASTud1UgZ1vzKZiefd7fqMk9Pg4GdA1VPYEORd4Nb6dHY cGblNSvZ/9iR39vZD2M3lrBTUAUP718Na+3EvoXHQj+c9smqbrF01XbNRtgyxsrV7jaFO2vJl i5ipwbaHUovxX2xGYr6bLiwub07zuewMItaG4laKb833iXShb+aus/lZ0QEcKhmhuZ5ryDKNr 73SrPgXNE85U6Ag1AjCo3f3v0xeX3V9w1cJ4oUcAaOeVLnko9GtQ2uk2O8NHSUMCzp9t6fp0S XifGLuFPNatOQ5jRNaAiwE93kLZNn3h3t+oD/5cSlwDbZ60Vt4JV7lKe6Kg2A68OHAhqLCExu 4dgOGi0ZmuWnCOO1WagdeFnFFnjRqyAO/0W/7Qmf/hp2HyVE9Xz3PNB+/S4SZAq3nB/flOlQP EB9m4bIbj0BMCgg8k8PsxbtTygrdCchTK5t37ShMhBoGTU4iF8Jg4bLxgzZ4LjZeR9rfia9O2 tqZwL8IUuUXv0IZZbJk6m5rRZ2gvf2vYZS6JBzD8nYa+GH3g7gy9NpZXxepyEyvt3j3AeDmxs hW2nZo8MKpmcH+zrbZz79fs2bTFT/QqEI6G4+32+xk5WFlb5BOEtgcYAuba/PWdzNlxDJO42O 1huAkmIQDcgwtpw/l+kBaD+v7lVr2B7FZyYyWV/N8wOi5ihIYhHJVR2vaZYBqncSjgrjP3d73 /A0SjBCpmigP5YwVmTPRfhtdi8cU73J/PFn7+92YMY38q49HCIl/NjL5ItfiJcOPhwQmv1wPv zLk8z9pQ0MuZ+PYoYrng== Subject: Re: [FFmpeg-devel] rebasing security X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Alexander Strasser via ffmpeg-devel Reply-To: FFmpeg development discussions and patches Cc: Alexander Strasser Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 2025-08-06 00:37 +0200, Michael Niedermayer wrote: > > On Mon, Aug 04, 2025 at 10:15:53PM +0200, Alexander Strasser via ffmpeg-devel wrote: [...] > > > > If I understand the original point you wanted to discuss correctly, > > than this is not a question of rebase or merge but one of letting > > **commits happen on the forge**. If it happens it bears the > > possibility of modification on the server the forge is running on. > > It is a question of rebase vs merge because > if the forge generates a merge A+B and lets assume it tampers with it > this is trivially detectable from nothing than just the git checkout > > To detect it: > just redo every merge that is not signed or that is signed by the forgejo key > the tree after it, either matches or it was very likely tampered with That would require to redo each merge commit with exact meta. If you only compare the tree contents, that wouldn't be necessary but is a good bit less secure. > With rebases, detection is possible but more complex > First you need not just the git checkout but every single pull request > and exactly the last pushed one before the rebase and they need to have been > signed. > Then you can redo all the rebases and verify that they have not been tampered with > > With the merge case the last pull requests are part of the git checkout and > signing is not critical because when something is part of a git checkout > its just hard to tamper with it, the author might notice it mismatches I agree it's easier to check with merges, but it doesn't sound like something usual people would do. So would mostly only be relevant if we set up something to double check. IMHO we should not right now discuss and possibly change workflow / branching model of FFmpeg. Right now we have enough in limbo, so changing this too might be a bit too much at a time. As you already mentioned there are other advantages to merging, so it might make sense to bring it up again at some point. Alexander _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".