From: Daniel Axtens <dja@axtens.net>
To: "Toke Høiland-Jørgensen" <toke@redhat.com>,
"Stephen Hemminger" <stephen@networkplumber.org>,
"Steven Rostedt" <rostedt@goodmis.org>
Cc: Dave Airlie <airlied@gmail.com>,
David Miller <davem@davemloft.net>,
mchehab@kernel.org, skhan@linuxfoundation.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patchwork@lists.ozlabs.org, workflows@vger.kernel.org
Subject: Re: RFE: use patchwork to submit a patch
Date: Mon, 14 Oct 2019 23:27:25 +1100 [thread overview]
Message-ID: <87imortsuq.fsf@dja-thinkpad.axtens.net> (raw)
In-Reply-To: <874l0bk3qb.fsf@toke.dk>
Toke Høiland-Jørgensen <toke@redhat.com> writes:
> Daniel Axtens <dja@axtens.net> writes:
>
>>> It does bring up that any new workflow has to have security protocol
>>> and threat model as part of its design.
>>
>> This is actually something that worries me about the patchwork
>> workflow. Maintainers seem to trust the patchwork version of a patch
>> without much (or any) verification that it matches what was sent to the
>> list.
>>
>> Say Alice emails a patch that says something like:
>>
>> if ((permissions == allowed) && other_stuff) {
>> do_things();
>> }
>> do_more_stuff(permissions);
>>
>> List members read that email, and many review it in the email client.
>>
>> However, say that the version in Patchwork actually reads like this:
>>
>> if ((permission = allowed) && other_stuff) {
>> do_things();
>> }
>> do_more_stuff(permissions);
>>
>> (You could get this with a malicious/compromised patchwork admin, or a
>> sufficiently advanced network adversary - patchwork takes the first mail
>> for a given message-id + project and later ones are discarded, so
>> there's a race you can win.)
>>
>> If the maintainer or someone else happens to apply the patch from
>> patchwork and then review it, or if tests happen to catch the relevant
>> case, we'll catch this. Otherwise...
>>
>> It's not the easiest or lowest risk way to get malicious code into the
>> kernel, but nonetheless, I worry about it.
>>
>> I can't think of a sensible way to fix this, unless we want to move to a
>> world where patch submissions are GPG signed, and teach patchwork to
>> verify sigs.
>
> It should be detectable, though, right?
>
> Say you have two independently administered patchwork instances (or even
> better, two different software packages entirely) that both subscribe to
> the mailing lists, and compare patch content with each other. They
> should at least be able to detect mismatches. Especially if you add a
> sanity check before discarding duplicate message-ids.
>
> This way you'd need to compromise multiple machines to achieve the kind
> of compromise you're worried about. And you can add more independent
> machines until you're satisfied that the risk is low enough :)
Yeah, it's detectable, even more simply if someone who subscribes to the
list checks patches they receive against a public patchwork. But my
concern isn't that it's undetectable, it's that it unlikely to be
detected in practice unless someone goes to the effort of writing code
to do it.
Regards,
Daniel
>
> -Toke
next prev parent reply other threads:[~2019-10-14 12:27 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-10 14:41 RFE: use patchwork to submit a patch Konstantin Ryabitsev
2019-10-10 18:07 ` Mauro Carvalho Chehab
2019-10-10 19:42 ` Steven Rostedt
2019-10-10 19:53 ` Konstantin Ryabitsev
2019-10-10 20:05 ` Eric Wong
2019-10-10 20:21 ` Jonathan Nieder
2019-10-10 20:36 ` Eric Wong
2019-10-11 18:05 ` Mauro Carvalho Chehab
2019-10-10 20:20 ` Jonathan Nieder
2019-10-10 21:38 ` Daniel Axtens
2019-10-10 22:05 ` Konstantin Ryabitsev
2019-10-11 8:57 ` Greg KH
2019-10-11 17:20 ` Shuah Khan
2019-10-11 17:37 ` Mauro Carvalho Chehab
2019-10-11 18:01 ` Steven Rostedt
2019-10-11 18:32 ` David Miller
2019-10-11 18:44 ` Steven Rostedt
2019-10-11 18:51 ` Mauro Carvalho Chehab
2019-10-11 18:59 ` Mauro Carvalho Chehab
2019-10-11 19:02 ` Drew DeVault
2019-10-11 19:11 ` David Miller
2019-10-11 21:19 ` Stephen Hemminger
2019-10-11 21:47 ` Steven Rostedt
2019-10-11 22:54 ` Dave Airlie
2019-10-11 23:00 ` Steven Rostedt
2019-10-12 0:08 ` Stephen Hemminger
2019-10-12 0:14 ` Steven Rostedt
2019-10-13 23:38 ` Daniel Axtens
2019-10-14 10:42 ` Toke Høiland-Jørgensen
2019-10-14 12:26 ` Theodore Y. Ts'o
2019-10-14 13:18 ` Toke Høiland-Jørgensen
2019-10-14 13:41 ` Mauro Carvalho Chehab
2019-10-14 13:53 ` Theodore Y. Ts'o
2019-10-14 14:28 ` Mauro Carvalho Chehab
2019-10-14 15:25 ` Konstantin Ryabitsev
2019-10-14 12:27 ` Daniel Axtens [this message]
2019-10-14 13:19 ` Steven Rostedt
2019-10-14 14:58 ` Dmitry Vyukov
2019-10-14 15:12 ` Laurent Pinchart
2019-10-15 4:49 ` Dmitry Vyukov
2019-10-15 16:30 ` Laurent Pinchart
2019-10-14 15:17 ` Greg KH
2019-10-14 15:27 ` Laurent Pinchart
2019-10-15 4:41 ` Dmitry Vyukov
2019-10-15 16:07 ` Greg KH
2019-10-14 20:56 ` Theodore Y. Ts'o
2019-10-15 4:39 ` Dmitry Vyukov
2019-10-15 12:37 ` Steven Rostedt
2019-10-15 13:35 ` Theodore Y. Ts'o
2019-10-15 14:05 ` Steven Rostedt
2019-10-15 15:21 ` Konstantin Ryabitsev
2019-10-15 16:37 ` Laurent Pinchart
2019-10-15 16:47 ` Steven Rostedt
2019-10-21 15:39 ` Laurent Pinchart
2019-10-24 13:15 ` Steven Rostedt
2019-10-24 13:33 ` Dmitry Vyukov
2019-10-24 13:58 ` Steven Rostedt
2019-10-24 14:12 ` Dmitry Vyukov
2019-10-15 8:57 ` Eric Wong
2019-10-15 9:11 ` Dmitry Vyukov
2019-10-15 16:24 ` Laurent Pinchart
2019-10-15 16:27 ` Laurent Pinchart
2019-10-21 11:16 ` Dmitry Vyukov
2019-11-08 9:44 ` Dmitry Vyukov
2019-11-08 14:02 ` Theodore Y. Ts'o
2019-11-08 14:11 ` Dmitry Vyukov
2019-11-08 14:12 ` Dmitry Vyukov
2019-11-08 14:17 ` Konstantin Ryabitsev
2019-11-08 14:25 ` Dmitry Vyukov
2019-11-09 4:31 ` Theodore Y. Ts'o
2019-11-11 9:35 ` Dmitry Vyukov
2019-11-11 12:08 ` Mark Brown
2019-11-11 16:17 ` Theodore Y. Ts'o
2019-11-11 20:38 ` Konstantin Ryabitsev
2019-11-08 14:17 ` Laurent Pinchart
2019-10-11 20:02 ` Konstantin Ryabitsev
2019-10-11 21:23 ` Eric Wong
2019-10-11 21:35 ` Konstantin Ryabitsev
2019-10-12 7:19 ` Greg KH
2019-10-14 11:31 ` Mark Brown
2019-10-15 16:11 ` Konstantin Ryabitsev
2019-10-13 23:39 ` Eric Wong
2019-10-14 7:30 ` Geert Uytterhoeven
2019-10-14 22:18 ` Eric Wong
2019-10-15 15:34 ` Konstantin Ryabitsev
2019-10-14 15:33 ` Laurent Pinchart
2019-10-15 15:40 ` Konstantin Ryabitsev
2019-10-15 16:32 ` Laurent Pinchart
2019-10-15 16:34 ` Drew DeVault
2019-10-15 16:44 ` Laurent Pinchart
2019-10-15 17:07 ` Drew DeVault
2019-10-15 17:24 ` Konstantin Ryabitsev
2019-10-11 22:57 ` Dave Airlie
2019-10-12 7:31 ` Greg KH
2019-10-12 13:16 ` Stephen Finucane
2019-10-12 16:13 ` Stephen Finucane
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87imortsuq.fsf@dja-thinkpad.axtens.net \
--to=dja@axtens.net \
--cc=airlied@gmail.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=mchehab@kernel.org \
--cc=patchwork@lists.ozlabs.org \
--cc=rostedt@goodmis.org \
--cc=skhan@linuxfoundation.org \
--cc=stephen@networkplumber.org \
--cc=toke@redhat.com \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).