From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Han-Wen Nienhuys <hanwen@google.com>
Cc: "Theodore Y. Ts'o" <tytso@mit.edu>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@redhat.com>,
Don Zickus <dzickus@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Daniel Axtens <dja@axtens.net>,
David Miller <davem@davemloft.net>, Drew DeVault <sir@cmpwn.com>,
Neil Horman <nhorman@tuxdriver.com>,
workflows@vger.kernel.org
Subject: Re: thoughts on a Merge Request based development workflow
Date: Tue, 15 Oct 2019 15:41:03 -0400 [thread overview]
Message-ID: <20191015194103.GA23517@chatter.i7.local> (raw)
In-Reply-To: <CAFQ2z_OyzfGDKQgzWNGoj4dpx-15B=kZkmOvJr9LU5AjfK=y0A@mail.gmail.com>
On Tue, Oct 15, 2019 at 09:15:27PM +0200, Han-Wen Nienhuys wrote:
>> As I see it, there are the following things that would make Gerrit a
>> difficult proposition:
>>
>> 1. A gerrit instance would introduce a single source of failure, which
>> is something many see as undesirable. If there's a DoS attack, Google
>> can restrict access to their Gerrit server to limit the requests to
>> only come from their corporate IP ranges, but kernel.org cannot do
>> the same, so anyone relying on gerrit.kernel.org cannot do any work
>> while it is unavailable.
>
>I don't understand your scenario. Are you concerned that Google would
>protect DoS attacks by limiting traffic to the corp network?
>
>Or are you concerned that kernel.org has no DoS protection?
Kernel.org operates on a pretty small budget, largely using
infrastructure donated by kind entities. If it suddenly becomes a
liability, I'm sure those entities will kick us out. A large, sustained
DoS attack would be one such liability, and due to the nature of git, we
can't really hide behind cloudfront or any other DoS-mitigation
platforms.
If a DoS attack is waged against Google's gerrit server, they can drop
the packets at the perimeter and still keep the service available to
Google engineers coming from internally routed traffic. This is not an
option for kernel.org, so a DoS attack against a central resource would
be super effective in stopping all work on Linux.
>
>How does DoS protection for kernel.org work today? If someone DoSes
>git.kernel.org with its 1000s of git trees, how do people get work
>done?
The git trees on kernel.org are just convenient copies. Most kernel
development is done via mailing patches, which is a distributed and
DoS-resistant process. The only time git.kernel.org enters into the
picture is when people need to send a pull request to Linus (via email).
If kernel.org is out for an extended period of time, they would just
push their repo elsewhere and send a pull request referencing the new
URL. Since Linus checks PGP signatures when pulling remotes, the
repository can be hosted anywhere at all without needing to trust the
infrastructure.
With gerrit, if gerrit.kernel.org is down, then everything grinds to a
halt. If it's down for an extended period of time, then in theory people
can push their git trees elsewhere, but then they would have to
force-push back to gerrit once it's back up.
>> 2. There is limited support for attestation with Gerrit. A change
>> request can contain a digital signature, but any comments surrounding
>> it do not. It would be easy for the administrator of the gerrit
>> instance to forge a +1 or +2 on a CR making it look like it came from
>> the maintainer or the CI service (in other words, we are back to
>> explicitly trusting the infrastructure and IT admins).
>
>Does anyone use attestation/PGP signing for their code reviews that
>are conducted over Email? How many people use PGP signing on their
>commits?
>
>How does email figure into this story? Email has no authentication at
>all, so if this is a requirement, you should probably stop using email
>for reviews.
Well, it's one of the problems we are trying to solve! Linus verifies
PGP signatures on all pull requests he receives that aren't coming from
git.kernel.org (and I always complain to him that he shouldn't make an
exception in our case either).
And we *are* trying to stop using email for reviews -- preferably
without introducing single points of trust and single points of failure.
>> 3. There is no email bridge, only notifications. Switching to gerrit
>> would require a flag-day when everyone must start using it (or stop
>> participating in kernel development).
>
>Gerrit sends out email for comments. If you reply to that email,
>Gerrit ingests the comment and puts it in the review.
Ah, okay, I guess we've never configured it that way. But you can't
+1/+2/Merge anything using this mechanism, right? Otherwise that would
be a backchannel around authentication. :)
-K
next prev parent reply other threads:[~2019-10-15 19:41 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-24 18:25 thoughts on a Merge Request based development workflow Neil Horman
2019-09-24 18:37 ` Drew DeVault
2019-09-24 18:53 ` Neil Horman
2019-09-24 20:24 ` Laurent Pinchart
2019-09-24 22:25 ` Neil Horman
2019-09-25 20:50 ` Laurent Pinchart
2019-09-25 21:54 ` Neil Horman
2019-09-26 0:40 ` Neil Horman
2019-09-28 22:58 ` Steven Rostedt
2019-09-28 23:16 ` Dave Airlie
2019-09-28 23:52 ` Steven Rostedt
2019-10-01 3:22 ` Daniel Axtens
2019-10-01 21:14 ` Bjorn Helgaas
2019-09-29 11:57 ` Neil Horman
2019-09-29 12:55 ` Dmitry Vyukov
2019-09-30 1:00 ` Neil Horman
2019-09-30 6:05 ` Dmitry Vyukov
2019-09-30 12:55 ` Neil Horman
2019-09-30 13:20 ` Nicolas Belouin
2019-09-30 13:40 ` Dmitry Vyukov
2019-09-30 21:02 ` Konstantin Ryabitsev
2019-09-30 14:51 ` Theodore Y. Ts'o
2019-09-30 15:15 ` Steven Rostedt
2019-09-30 16:09 ` Geert Uytterhoeven
2019-09-30 20:56 ` Konstantin Ryabitsev
2019-10-08 1:00 ` Stephen Rothwell
2019-09-26 10:23 ` Geert Uytterhoeven
2019-09-26 13:43 ` Neil Horman
2019-10-07 15:33 ` David Miller
2019-10-07 15:35 ` Drew DeVault
2019-10-07 16:20 ` Neil Horman
2019-10-07 16:24 ` Drew DeVault
2019-10-07 18:43 ` David Miller
2019-10-07 19:24 ` Eric Wong
2019-10-07 15:47 ` Steven Rostedt
2019-10-07 18:40 ` David Miller
2019-10-07 18:45 ` David Miller
2019-10-07 19:21 ` Steven Rostedt
2019-10-07 21:49 ` Theodore Y. Ts'o
2019-10-07 23:00 ` Daniel Axtens
2019-10-08 0:39 ` Eric Wong
2019-10-08 1:26 ` Daniel Axtens
2019-10-08 2:11 ` Eric Wong
2019-10-08 3:24 ` Daniel Axtens
2019-10-08 6:03 ` Eric Wong
2019-10-08 10:06 ` Daniel Axtens
2019-10-08 13:19 ` Steven Rostedt
2019-10-08 18:46 ` Rob Herring
2019-10-08 21:36 ` Eric Wong
2019-10-08 1:17 ` Steven Rostedt
2019-10-08 16:43 ` Don Zickus
2019-10-08 17:17 ` Steven Rostedt
2019-10-08 17:39 ` Don Zickus
2019-10-08 19:05 ` Konstantin Ryabitsev
2019-10-08 20:32 ` Don Zickus
2019-10-08 21:35 ` Konstantin Ryabitsev
2019-10-09 21:50 ` Laura Abbott
2019-10-10 12:48 ` Neil Horman
2019-10-09 21:35 ` Laura Abbott
2019-10-09 21:54 ` Konstantin Ryabitsev
2019-10-09 22:09 ` Laura Abbott
2019-10-09 22:19 ` Dave Airlie
2019-10-09 22:21 ` Eric Wong
2019-10-09 23:56 ` Konstantin Ryabitsev
2019-10-10 0:07 ` Eric Wong
2019-10-10 7:35 ` Nicolas Belouin
2019-10-10 12:53 ` Steven Rostedt
2019-10-10 14:21 ` Dmitry Vyukov
2019-10-11 7:12 ` Nicolas Belouin
2019-10-11 13:56 ` Dmitry Vyukov
2019-10-14 7:31 ` Nicolas Belouin
2019-10-10 17:52 ` Dmitry Vyukov
2019-10-10 20:57 ` Theodore Y. Ts'o
2019-10-11 11:01 ` Dmitry Vyukov
2019-10-11 12:54 ` Theodore Y. Ts'o
2019-10-14 19:08 ` Han-Wen Nienhuys
2019-10-15 1:54 ` Theodore Y. Ts'o
2019-10-15 12:00 ` Daniel Vetter
2019-10-15 13:14 ` Han-Wen Nienhuys
2019-10-15 13:45 ` Daniel Vetter
2019-10-16 18:56 ` Han-Wen Nienhuys
2019-10-16 19:08 ` Mark Brown
2019-10-17 10:22 ` Han-Wen Nienhuys
2019-10-17 11:24 ` Mark Brown
2019-10-17 11:49 ` Daniel Vetter
2019-10-17 12:09 ` Han-Wen Nienhuys
2019-10-17 12:53 ` Daniel Vetter
2019-10-15 16:07 ` Greg KH
2019-10-15 16:35 ` Steven Rostedt
2019-10-15 18:58 ` Han-Wen Nienhuys
2019-10-15 19:33 ` Greg KH
2019-10-15 20:03 ` Mark Brown
2019-10-15 19:50 ` Mark Brown
2019-10-15 18:37 ` Konstantin Ryabitsev
2019-10-15 19:15 ` Han-Wen Nienhuys
2019-10-15 19:35 ` Greg KH
2019-10-15 19:41 ` Konstantin Ryabitsev [this message]
2019-10-16 18:33 ` Han-Wen Nienhuys
2019-10-09 2:02 ` Daniel Axtens
2019-09-24 23:15 ` David Rientjes
2019-09-25 6:35 ` Toke Høiland-Jørgensen
2019-09-25 10:49 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191015194103.GA23517@chatter.i7.local \
--to=konstantin@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dja@axtens.net \
--cc=dvyukov@google.com \
--cc=dzickus@redhat.com \
--cc=hanwen@google.com \
--cc=labbott@redhat.com \
--cc=nhorman@tuxdriver.com \
--cc=rostedt@goodmis.org \
--cc=sir@cmpwn.com \
--cc=tytso@mit.edu \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.