From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, vegard.nossum@oracle.com
Subject: Re: Making GitGitGadget conversion lossless
Date: Wed, 26 Feb 2020 16:35:15 -0500 [thread overview]
Message-ID: <20200226213515.t2aa4o4nquaaz6vg@chatter.i7.local> (raw)
In-Reply-To: <xmqq5zfthxlw.fsf@gitster-ct.c.googlers.com>
On Wed, Feb 26, 2020 at 01:01:15PM -0800, Junio C Hamano wrote:
> Isn't this already available by recording the base-commit
> information?
>
> > - author/committer information
> > - cryptographic attestation (gpgsig)
>
> I think you are aiming to come up with bit-for-bit identical commit
> the sender had, and I would imagine that the easiest and least
> disruptive way to do so is to add a compressed and ascii-armored
> copy of "git cat-file commit" output of the original commit after
> the "---" line before the diff/diffstat of the e-mailed patch. The
> receiving end can then act on it when given some option by
>
> - first recover the contents of the commit object (call it #1);
> - learn the parent commit(s) and check out the tree;
> - apply the patch in the remainder of the patch e-mail to the tree;
> - make sure that the result of patch application gives the tree object
> recorded in #1;
> - run "hash-object -t commit -w" over #1 that gives you a commit
> object that is bit-for-bit identical.
Right, I just don't want to be doing this in a separate tool. :)
> As I said already, I do not think that the desire to get the
> bit-for-bit identical commit is compatible with the idea to discuss
> e-mailed patches---the pieces of patch e-mail will become "you may
> look at them, you may apply them, but it is no use to comment on
> them to get them improved".
I disagree -- specifically from the attestation point of view. One of
the drawbacks of platforms like lore.kernel.org is that it creates an
opportunity for a malicious actor to compromise it and modify patches
that they know will be downloaded and applied by Linux maintainers -- so
my goal is to ensure that we do not have to trust lore.kernel.org in
order to trust patches downloaded from it. This means some mechanism for
end-to-end patch attestation.
There are two avenues that I am pursuing for this purpose:
1. being able to submit attestation information out-of-band, see
discussion here:
https://lore.kernel.org/workflows/20200226172502.q3fl67ealxsonfgp@chatter.i7.local/T/#u
2. being able to preserve commit signatures as they are converted into
patches and back
I know that it is very uncommon for patches to be applied without any
changes, because the maintainer would almost always add their
Signed-off-by trailer before applying it to their tree. However,
preserving full commit metadata allows checking cryptographic
attestation *before* adding trailers or making any other edits, for
example by making a shallow clone of the worktree, applying the series
"verbatim", as you describe above, and then verifying the signature at
the tip. If "git verify-commit HEAD" is successful, then the maintainer
can be assured that patch contents have not been modified between when
they left the developer's system and arrived at the maintainer's
workstation.
This means nobody needs to trust me or other members of the sysadmin
team responsible for lore.kernel.org in order to trust patches they
retrieve from it.
Best,
-K
next prev parent reply other threads:[~2020-02-26 21:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-26 20:09 Making GitGitGadget conversion lossless Konstantin Ryabitsev
2020-02-26 21:01 ` Junio C Hamano
2020-02-26 21:32 ` Vegard Nossum
2020-02-26 21:35 ` Konstantin Ryabitsev [this message]
2020-02-26 22:27 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200226213515.t2aa4o4nquaaz6vg@chatter.i7.local \
--to=konstantin@linuxfoundation.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).