* Re: [kernel.org users] b4: DKIM verification available [not found] ` <20201122002808.GA20499@outflux.net> @ 2020-11-22 17:38 ` Konstantin Ryabitsev 2020-11-22 17:51 ` Kees Cook 0 siblings, 1 reply; 4+ messages in thread From: Konstantin Ryabitsev @ 2020-11-22 17:38 UTC (permalink / raw) To: Kees Cook; +Cc: users, tools On Sat, Nov 21, 2020 at 04:28:08PM -0800, Kees Cook wrote: > On Fri, Nov 20, 2020 at 05:15:30PM -0500, Konstantin Ryabitsev wrote: > > I'm gearing up for b4 0.6.0, which adds a handful of new features around > > attestation. Specifically, it enables DKIM verification if the required > > library is available. It used to be a futile exercise due to almost > > every mailing list breaking it in terrible ways, but vger now properly > > preserves headers so that DKIM signatures verify nearly all the time. > > Nice! This works for me. > > I wanted to look at X-Patch-Sig verification too, but realized I couldn't > actually search lore for an arbitrary header to find an example. And so > I went to the lore git, and from a worktree, I found no one using the > new b4 GPG attestation yet ("git log -S X-Patch-Sig"). Well, it's not in any released version yet, so it's not surprising. :) You can test it on some of my bogus series posts: b4 am -o/tmp 20201120212731.1645654-1-konstantin@linuxfoundation.org The 0.6 release will only support mode=pgp in addition to plain DKIM. > (I was hoping to have my own series up to use as an example, but I > mucked up the order of operations. Next one should include it, > though!) Basically, you just run "b4 attest *.patch" before running "git send-email". You can actually do this via adding the following to .git/hooks/sendemail-validate: #!/bin/sh /path/to/your/b4/b4.sh attest $1 I'll add documentation for this before 0.6 is out. Thanks for willing to be my test subject. :) -K ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [kernel.org users] b4: DKIM verification available 2020-11-22 17:38 ` [kernel.org users] b4: DKIM verification available Konstantin Ryabitsev @ 2020-11-22 17:51 ` Kees Cook 0 siblings, 0 replies; 4+ messages in thread From: Kees Cook @ 2020-11-22 17:51 UTC (permalink / raw) To: Konstantin Ryabitsev; +Cc: users, tools On Sun, Nov 22, 2020 at 12:38:59PM -0500, Konstantin Ryabitsev wrote: > On Sat, Nov 21, 2020 at 04:28:08PM -0800, Kees Cook wrote: > > On Fri, Nov 20, 2020 at 05:15:30PM -0500, Konstantin Ryabitsev wrote: > > > I'm gearing up for b4 0.6.0, which adds a handful of new features around > > > attestation. Specifically, it enables DKIM verification if the required > > > library is available. It used to be a futile exercise due to almost > > > every mailing list breaking it in terrible ways, but vger now properly > > > preserves headers so that DKIM signatures verify nearly all the time. > > > > Nice! This works for me. > > > > I wanted to look at X-Patch-Sig verification too, but realized I couldn't > > actually search lore for an arbitrary header to find an example. And so > > I went to the lore git, and from a worktree, I found no one using the > > new b4 GPG attestation yet ("git log -S X-Patch-Sig"). > > Well, it's not in any released version yet, so it's not surprising. :) > You can test it on some of my bogus series posts: > > b4 am -o/tmp 20201120212731.1645654-1-konstantin@linuxfoundation.org > > The 0.6 release will only support mode=pgp in addition to plain DKIM. Excellent! > > > (I was hoping to have my own series up to use as an example, but I > > mucked up the order of operations. Next one should include it, > > though!) > > Basically, you just run "b4 attest *.patch" before running "git > send-email". You can actually do this via adding the following to Yeah, that's what I discovered (I hadn't realized it had switch to using injected headers). > .git/hooks/sendemail-validate: > > #!/bin/sh > /path/to/your/b4/b4.sh attest $1 > > I'll add documentation for this before 0.6 is out. Ah, nice; that's cleaner than what I was doing. > Thanks for willing to be my test subject. :) Thanks for writing all this! :) -- Kees Cook @outflux.net ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <20201123154841.GU244516@ziepe.ca>]
[parent not found: <1dccb9ac431b854ba4f7a72f6e7b90baecdacbe1.camel@HansenPartnership.com>]
[parent not found: <20201123164220.GW244516@ziepe.ca>]
* Re: [kernel.org users] b4: DKIM verification available [not found] ` <20201123164220.GW244516@ziepe.ca> @ 2020-11-23 18:17 ` Konstantin Ryabitsev 2020-11-23 18:28 ` Jason Gunthorpe 0 siblings, 1 reply; 4+ messages in thread From: Konstantin Ryabitsev @ 2020-11-23 18:17 UTC (permalink / raw) To: Jason Gunthorpe; +Cc: James Bottomley, users, tools On Mon, Nov 23, 2020 at 12:42:20PM -0400, Jason Gunthorpe wrote: > Konstantin: This seems like a few bad behaviors here.. Shouldn't the > first one report the DKIM failure?? Yeah, but I try not to put in features that everyone would immediately turn off due to high false-positive rates. :) We treat a successful DKIM verification as a nice surprise and quietly move on otherwise. > It also feels like b4 should try other list archives if the DKIM is > bad. eg inspect the to/cc headers and pick a vger list if available. There is a better solution that should become available in the future releases of public-inbox: - it'll allow us to combine threads from multiple lists - when multiple sources match, we'll be able to assign a "weighting" metric that should let us pick vger lists over mailman lists when the same message exists on both -K ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [kernel.org users] b4: DKIM verification available 2020-11-23 18:17 ` Konstantin Ryabitsev @ 2020-11-23 18:28 ` Jason Gunthorpe 0 siblings, 0 replies; 4+ messages in thread From: Jason Gunthorpe @ 2020-11-23 18:28 UTC (permalink / raw) To: Konstantin Ryabitsev; +Cc: James Bottomley, users, tools On Mon, Nov 23, 2020 at 01:17:46PM -0500, Konstantin Ryabitsev wrote: > On Mon, Nov 23, 2020 at 12:42:20PM -0400, Jason Gunthorpe wrote: > > Konstantin: This seems like a few bad behaviors here.. Shouldn't the > > first one report the DKIM failure?? > > Yeah, but I try not to put in features that everyone would immediately > turn off due to high false-positive rates. :) Do you think it is that bad? According to DMARC data vger lists are nearly 100% these days, b4 could sense vger and turn it on properly. It would be interesting to see some stats on some of the vger lists from lore to get a sense how many senders are misconfigured. If you are going in this direction having vger reject messages that fail DKIM signature checking just like it rejects HTML messages would instantly make it usable. :) > verification as a nice surprise and quietly move on otherwise. Well in this way it will have no impact on any workflow or any change in the git commits.. Jason ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-23 18:28 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20201120221530.mfwn72nr6lqr2qqs@chatter.i7.local> [not found] ` <20201122002808.GA20499@outflux.net> 2020-11-22 17:38 ` [kernel.org users] b4: DKIM verification available Konstantin Ryabitsev 2020-11-22 17:51 ` Kees Cook [not found] ` <20201123154841.GU244516@ziepe.ca> [not found] ` <1dccb9ac431b854ba4f7a72f6e7b90baecdacbe1.camel@HansenPartnership.com> [not found] ` <20201123164220.GW244516@ziepe.ca> 2020-11-23 18:17 ` Konstantin Ryabitsev 2020-11-23 18:28 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).