Re: Making GitGitGadget conversion lossless

From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, vegard.nossum@oracle.com
Subject: Re: Making GitGitGadget conversion lossless
Date: Wed, 26 Feb 2020 16:35:15 -0500	[thread overview]
Message-ID: <20200226213515.t2aa4o4nquaaz6vg@chatter.i7.local> (raw)
In-Reply-To: <xmqq5zfthxlw.fsf@gitster-ct.c.googlers.com>

On Wed, Feb 26, 2020 at 01:01:15PM -0800, Junio C Hamano wrote:
> Isn't this already available by recording the base-commit
> information?
> 
> > - author/committer information
> > - cryptographic attestation (gpgsig)
> 
> I think you are aiming to come up with bit-for-bit identical commit
> the sender had, and I would imagine that the easiest and least
> disruptive way to do so is to add a compressed and ascii-armored
> copy of "git cat-file commit" output of the original commit after
> the "---" line before the diff/diffstat of the e-mailed patch.  The
> receiving end can then act on it when given some option by
> 
>  - first recover the contents of the commit object (call it #1);
>  - learn the parent commit(s) and check out the tree;
>  - apply the patch in the remainder of the patch e-mail to the tree;
>  - make sure that the result of patch application gives the tree object
>    recorded in #1;
>  - run "hash-object -t commit -w" over #1 that gives you a commit
>    object that is bit-for-bit identical.

Right, I just don't want to be doing this in a separate tool. :)

> As I said already, I do not think that the desire to get the
> bit-for-bit identical commit is compatible with the idea to discuss
> e-mailed patches---the pieces of patch e-mail will become "you may
> look at them, you may apply them, but it is no use to comment on
> them to get them improved".

I disagree -- specifically from the attestation point of view. One of 
the drawbacks of platforms like lore.kernel.org is that it creates an 
opportunity for a malicious actor to compromise it and modify patches 
that they know will be downloaded and applied by Linux maintainers -- so 
my goal is to ensure that we do not have to trust lore.kernel.org in 
order to trust patches downloaded from it. This means some mechanism for 
end-to-end patch attestation.

There are two avenues that I am pursuing for this purpose:

1. being able to submit attestation information out-of-band, see 
   discussion here: 
   https://lore.kernel.org/workflows/20200226172502.q3fl67ealxsonfgp@chatter.i7.local/T/#u
2. being able to preserve commit signatures as they are converted into 
   patches and back

I know that it is very uncommon for patches to be applied without any 
changes, because the maintainer would almost always add their 
Signed-off-by trailer before applying it to their tree. However, 
preserving full commit metadata allows checking cryptographic 
attestation *before* adding trailers or making any other edits, for 
example by making a shallow clone of the worktree, applying the series 
"verbatim", as you describe above, and then verifying the signature at 
the tip. If "git verify-commit HEAD" is successful, then the maintainer 
can be assured that patch contents have not been modified between when 
they left the developer's system and arrived at the maintainer's 
workstation.

This means nobody needs to trust me or other members of the sysadmin 
team responsible for lore.kernel.org in order to trust patches they 
retrieve from it.

Best,
-K