ksummit.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
From: Geert Uytterhoeven <geert@linux-m68k.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: Bjorn Helgaas <helgaas@kernel.org>,
	ksummit <ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] Topics for the Maintainer's Summit
Date: Mon, 9 Sep 2019 12:59:26 +0200	[thread overview]
Message-ID: <CAMuHMdXxcJhNqPZBpf4QHpECN=aDXe7uYv3F2S4re04YaRUypA@mail.gmail.com> (raw)
In-Reply-To: <20190909101606.GB9452@pure.paranoia.local>

Hi Konstantin,

On Mon, Sep 9, 2019 at 12:16 PM Konstantin Ryabitsev
<konstantin@linuxfoundation.org> wrote:
> On Mon, Sep 09, 2019 at 11:49:48AM +0200, Geert Uytterhoeven wrote:
> > > We can still have the review on emailed patches, and we could still use
> > > git am to apply patches from email, with better reliability if the
> > > sending was done by a service in, say, kernel.org control. Though if we
> > > had the series automatically available in a branch, I'd think people
> > > would move over to picking up the commits from git. And email would only
> > > be used for communication, not data transfer.
> >
> > Do we trust the branch to contain the exact same commits as the
> > patches reviewed on the mailing list?
> > For an automatic service on kernel.org, we could.
>
> But we really shouldn't, considering kernel.org is the exact kind of
> target that attackers would go after if it was implicitly trusted by

Sure.

> developers. Once patches have been reviewed by maintainers and merged
> into their tree, we should be using cryptographic attestation for all
> git-centric operations after that -- regardless of whether you pulled
> from kernel.org or any other location.

We already use cryptographic attestations for the later operations.

So the weakest link seems to be the step between public review and
import into git by the maintainer.  E.g.
  - The review chain on multiple submissions: Vn+1 may contain an evil
     change that was not in Vn.  As this happens in public, it may be
     noticed by reviewers.
  - The path between patch submission and git-am:  if a patchwork
    instance is compromised, evil changes may sneak in.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

  reply	other threads:[~2019-09-09 10:59 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-30  3:17 [Ksummit-discuss] Topics for the Maintainer's Summit Theodore Y. Ts'o
2019-08-30 12:01 ` Wolfram Sang
2019-08-30 13:58 ` Shuah Khan
2019-08-30 14:36   ` shuah
2019-08-30 13:58 ` Bjorn Helgaas
2019-09-02 15:09   ` Shuah Khan
2019-09-02 20:42   ` Dave Airlie
2019-09-02 22:22     ` Theodore Y. Ts'o
2019-09-03  2:35       ` Olof Johansson
2019-09-03  3:05         ` Randy Dunlap
2019-09-03 13:29       ` Laura Abbott
2019-09-03 16:07         ` Linus Torvalds
2019-09-03 17:27           ` Konstantin Ryabitsev
2019-09-03 17:40             ` Bjorn Helgaas
2019-09-06 10:21               ` Rob Herring
2019-09-19  1:47                 ` Bjorn Helgaas
2019-09-19 20:52                   ` Rob Herring
2019-09-20 13:37                     ` Mark Brown
2019-09-03 17:57             ` Mark Brown
2019-09-03 18:14             ` Dan Williams
2019-09-03 21:59             ` Wolfram Sang
2019-09-04  8:34             ` Jan Kara
2019-09-04 12:08             ` Laurent Pinchart
2019-09-04 13:47               ` Konstantin Ryabitsev
2019-09-05  8:21                 ` Jani Nikula
2019-09-06 10:50                   ` Rob Herring
2019-09-06 19:21                     ` Linus Torvalds
2019-09-06 19:53                       ` Olof Johansson
2019-09-09  8:40                         ` Jani Nikula
2019-09-09  9:49                           ` Geert Uytterhoeven
2019-09-09 10:16                             ` Konstantin Ryabitsev
2019-09-09 10:59                               ` Geert Uytterhoeven [this message]
2019-09-09 12:37                                 ` Konstantin Ryabitsev
     [not found]                     ` <20190911095305.36104206A1@mail.kernel.org>
2019-09-11 11:03                       ` Christoph Hellwig
2019-09-13  8:19                       ` Matthias Brugger
2019-09-05  7:01           ` Jani Nikula
2019-09-05 15:26             ` Theodore Y. Ts'o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMuHMdXxcJhNqPZBpf4QHpECN=aDXe7uYv3F2S4re04YaRUypA@mail.gmail.com' \
    --to=geert@linux-m68k.org \
    --cc=helgaas@kernel.org \
    --cc=konstantin@linuxfoundation.org \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).