Linux maintainer tooling and workflows
 help / color / Atom feed
* Re: [kernel.org users] b4: DKIM verification available
       [not found] ` <20201122002808.GA20499@outflux.net>
@ 2020-11-22 17:38   ` Konstantin Ryabitsev
  2020-11-22 17:51     ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Konstantin Ryabitsev @ 2020-11-22 17:38 UTC (permalink / raw)
  To: Kees Cook; +Cc: users, tools

On Sat, Nov 21, 2020 at 04:28:08PM -0800, Kees Cook wrote:
> On Fri, Nov 20, 2020 at 05:15:30PM -0500, Konstantin Ryabitsev wrote:
> > I'm gearing up for b4 0.6.0, which adds a handful of new features around 
> > attestation. Specifically, it enables DKIM verification if the required 
> > library is available. It used to be a futile exercise due to almost 
> > every mailing list breaking it in terrible ways, but vger now properly 
> > preserves headers so that DKIM signatures verify nearly all the time.  
> 
> Nice! This works for me.
> 
> I wanted to look at X-Patch-Sig verification too, but realized I couldn't
> actually search lore for an arbitrary header to find an example. And so
> I went to the lore git, and from a worktree, I found no one using the
> new b4 GPG attestation yet ("git log -S X-Patch-Sig").

Well, it's not in any released version yet, so it's not surprising. :) 
You can test it on some of my bogus series posts:

b4 am -o/tmp 20201120212731.1645654-1-konstantin@linuxfoundation.org

The 0.6 release will only support mode=pgp in addition to plain DKIM.

> (I was hoping to have my own series up to use as an example, but I
> mucked up the order of operations. Next one should include it, 
> though!)

Basically, you just run "b4 attest *.patch" before running "git 
send-email". You can actually do this via adding the following to 
.git/hooks/sendemail-validate:

#!/bin/sh
/path/to/your/b4/b4.sh attest $1

I'll add documentation for this before 0.6 is out.

Thanks for willing to be my test subject. :)

-K

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [kernel.org users] b4: DKIM verification available
  2020-11-22 17:38   ` [kernel.org users] b4: DKIM verification available Konstantin Ryabitsev
@ 2020-11-22 17:51     ` Kees Cook
  0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2020-11-22 17:51 UTC (permalink / raw)
  To: Konstantin Ryabitsev; +Cc: users, tools

On Sun, Nov 22, 2020 at 12:38:59PM -0500, Konstantin Ryabitsev wrote:
> On Sat, Nov 21, 2020 at 04:28:08PM -0800, Kees Cook wrote:
> > On Fri, Nov 20, 2020 at 05:15:30PM -0500, Konstantin Ryabitsev wrote:
> > > I'm gearing up for b4 0.6.0, which adds a handful of new features around 
> > > attestation. Specifically, it enables DKIM verification if the required 
> > > library is available. It used to be a futile exercise due to almost 
> > > every mailing list breaking it in terrible ways, but vger now properly 
> > > preserves headers so that DKIM signatures verify nearly all the time.  
> > 
> > Nice! This works for me.
> > 
> > I wanted to look at X-Patch-Sig verification too, but realized I couldn't
> > actually search lore for an arbitrary header to find an example. And so
> > I went to the lore git, and from a worktree, I found no one using the
> > new b4 GPG attestation yet ("git log -S X-Patch-Sig").
> 
> Well, it's not in any released version yet, so it's not surprising. :) 
> You can test it on some of my bogus series posts:
> 
> b4 am -o/tmp 20201120212731.1645654-1-konstantin@linuxfoundation.org
> 
> The 0.6 release will only support mode=pgp in addition to plain DKIM.

Excellent!

> 
> > (I was hoping to have my own series up to use as an example, but I
> > mucked up the order of operations. Next one should include it, 
> > though!)
> 
> Basically, you just run "b4 attest *.patch" before running "git 
> send-email". You can actually do this via adding the following to 

Yeah, that's what I discovered (I hadn't realized it had switch to using
injected headers).

> .git/hooks/sendemail-validate:
> 
> #!/bin/sh
> /path/to/your/b4/b4.sh attest $1
> 
> I'll add documentation for this before 0.6 is out.

Ah, nice; that's cleaner than what I was doing.

> Thanks for willing to be my test subject. :)

Thanks for writing all this! :)

-- 
Kees Cook                                            @outflux.net

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [kernel.org users] b4: DKIM verification available
       [not found]     ` <20201123164220.GW244516@ziepe.ca>
@ 2020-11-23 18:17       ` Konstantin Ryabitsev
  2020-11-23 18:28         ` Jason Gunthorpe
  0 siblings, 1 reply; 4+ messages in thread
From: Konstantin Ryabitsev @ 2020-11-23 18:17 UTC (permalink / raw)
  To: Jason Gunthorpe; +Cc: James Bottomley, users, tools

On Mon, Nov 23, 2020 at 12:42:20PM -0400, Jason Gunthorpe wrote:
> Konstantin: This seems like a few bad behaviors here.. Shouldn't the
> first one report the DKIM failure??

Yeah, but I try not to put in features that everyone would immediately 
turn off due to high false-positive rates. :) We treat a successful DKIM 
verification as a nice surprise and quietly move on otherwise.

> It also feels like b4 should try other list archives if the DKIM is
> bad. eg inspect the to/cc headers and pick a vger list if available.

There is a better solution that should become available in the future 
releases of public-inbox:

- it'll allow us to combine threads from multiple lists
- when multiple sources match, we'll be able to assign a "weighting" 
  metric that should let us pick vger lists over mailman lists when the 
  same message exists on both

-K

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [kernel.org users] b4: DKIM verification available
  2020-11-23 18:17       ` Konstantin Ryabitsev
@ 2020-11-23 18:28         ` Jason Gunthorpe
  0 siblings, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2020-11-23 18:28 UTC (permalink / raw)
  To: Konstantin Ryabitsev; +Cc: James Bottomley, users, tools

On Mon, Nov 23, 2020 at 01:17:46PM -0500, Konstantin Ryabitsev wrote:
> On Mon, Nov 23, 2020 at 12:42:20PM -0400, Jason Gunthorpe wrote:
> > Konstantin: This seems like a few bad behaviors here.. Shouldn't the
> > first one report the DKIM failure??
> 
> Yeah, but I try not to put in features that everyone would immediately 
> turn off due to high false-positive rates. :)

Do you think it is that bad? According to DMARC data vger lists are
nearly 100% these days, b4 could sense vger and turn it on properly.

It would be interesting to see some stats on some of the vger lists
from lore to get a sense how many senders are misconfigured.

If you are going in this direction having vger reject messages that
fail DKIM signature checking just like it rejects HTML messages would
instantly make it usable. :)

> verification as a nice surprise and quietly move on otherwise.

Well in this way it will have no impact on any workflow or any change
in the git commits..

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20201120221530.mfwn72nr6lqr2qqs@chatter.i7.local>
     [not found] ` <20201122002808.GA20499@outflux.net>
2020-11-22 17:38   ` [kernel.org users] b4: DKIM verification available Konstantin Ryabitsev
2020-11-22 17:51     ` Kees Cook
     [not found] ` <20201123154841.GU244516@ziepe.ca>
     [not found]   ` <1dccb9ac431b854ba4f7a72f6e7b90baecdacbe1.camel@HansenPartnership.com>
     [not found]     ` <20201123164220.GW244516@ziepe.ca>
2020-11-23 18:17       ` Konstantin Ryabitsev
2020-11-23 18:28         ` Jason Gunthorpe

Linux maintainer tooling and workflows

Archives are clonable:
	git clone --mirror https://lore.kernel.org/tools/0 tools/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 tools tools/ https://lore.kernel.org/tools \
		tools@linux.kernel.org
	public-inbox-index tools

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.linux.tools


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git