Re: merging pull requests

[Steven Rostedt <rostedt@goodmis.org>]

On Thu, 30 Sep 2021 16:42:58 -0700
Kees Cook <keescook@chromium.org> wrote:

> Now I publish my tree, and sign a tag for it for a pull request. Whoever
> does that pull can only check my tag and has to trust I checked what
> went into my tree. At the end of the day, that's exactly what the
> tag signature is for: whoever is pulling must trust the PR sender for
> all kinds of reasons. But there isn't a way to mechanically perform an
> integrity check on the components of those results: the merged mbox with
> the signature headers or the remote tag signature aren't associated
> with the resulting branch any more.

As I've mentioned before, I have a personalized patchwork instance that
runs against my inbox. I pull from that patchwork to pull into my git
tree (which all patches must at least go to LKML). I also subscribe to
all commits that go into Linus's tree, and those patches run against
the patches in my inbox patchwork database. If a match is found, the
patch changes from "Under Review" (which gets set to that when it's
posted as my "for-next" or "for-linus" emails) to "Accepted", and they
no longer appear in my default view.

Thus, if the patch changes for the time I reviewed it, to the time it
gets into Linus's tree, that patch will not be removed from my
patchwork database. Which causes me to examine further.

> 
> But given that maintainers may tweak what was sent to them or squash
> fixes, there's likely no point in that kind of integrity chain...

I sometimes make slight changes, usually do to conflicts with other
changes. In these cases, I have to manually set the patches in my
database to "Accepted", but I don't do that without manually examining
what is in Linus's tree and what is in patchwork.

-- Steve