Re: merging pull requests

[Konstantin Ryabitsev <konstantin@linuxfoundation.org>]

On Thu, Sep 30, 2021 at 04:42:58PM -0700, Kees Cook wrote:
> The only "hole" I see with the integrity checking is that since only tags
> or mbox headers are signed, and those aren't part of the merge, there
> isn't a easy way that I see to follow the integrity chain for a given
> resulting tree. (Which is technically different from the "trust" chain.)

This is unavoidable with the current workflow because commit messages will
necessarily get modified when S-o-b and other trailers get injected. I do not
think attempting the "commits must remain immutable" approach is worthwhile,
as I think there's more value in allowing maintainers to tweak the code they
receive.

> For example, for stuff going into my tree:
> - If it's from an mbox, I can easily check that the patches haven't changed
>   in flight when the author used b4/patatt to wrap the email delivery.
> - If it's from a remote tag, I can check the tag signature.
> This is all fine.
> 
> Now I publish my tree, and sign a tag for it for a pull request. Whoever
> does that pull can only check my tag and has to trust I checked what
> went into my tree.

I think there are two different attestation targets here. What I've been
working on is in-transit attestation, with the goal to make patches
tamper-evident. What you're describing sounds to me more like
cryptographically-backed signoffs. I think tools like sigstore [1] and
external attestation documents are actually better suited for this.

I don't want to wander too far down that path at the moment, but it's perhaps
something to consider in the future. With patatt in-header signatures, you
*can* perform attestation if each commit includes a Link: to the original
patch message (and that message is cryptographically attested).

[1] https://www.sigstore.dev/

-K