From: Geert Uytterhoeven <geert@linux-m68k.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: workflows@vger.kernel.org
Subject: Re: Patch attestation RFC + proof of concept
Date: Fri, 6 Mar 2020 17:53:24 +0100 [thread overview]
Message-ID: <CAMuHMdVGD3GM8e29VM8brr8xiYFoL9uyY9ywMXfBpnZ5tCA1PQ@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9rkCgQwUnwUoOCzDzLi1biECs3ZwzApsPDKXykKPitZew@mail.gmail.com>
On Fri, Feb 28, 2020 at 2:58 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> It doesn't help with the reverse scenario, where what's in the
> developer's inbox or displayed on the lore webserver running a
> backdoored nginx doesn't match the patches that they eventually apply.
> That might seem like an unrealistic attack scenario, but then think
> about it combined with the get-lore-mbox feature to grab the latest
> patchset version and other similar shenanigans. Or, maybe Eve reposts
> v1 as v20, and this mailing list thread convinces you to ignore the
> [PATCH vX] from the metadata hash, or maintainers don't care about
> that hash verifying anyway since it tends to get mangled.
Or different patches with the same subject.
Recently, I accidentally send out a patch with the wrong subject, which
matched an older patch.
"get-lore-mbox.py 20200218112557.5924-1-geert+renesas@glider.be"
downloads the new thread, plus the email with the old patch with the same
one-line summary.
Worse, "get-lore-mbox.py -a 20200218112557.5924-1-geert+renesas@glider.be"
selects the old patch instead of the new one, despite the exact Message-ID
match on the command line. Fortunately "git am" complained, as the old
patch had already been applied.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
prev parent reply other threads:[~2020-03-06 16:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-26 17:25 Patch attestation RFC + proof of concept Konstantin Ryabitsev
2020-02-26 17:50 ` Kees Cook
2020-02-26 18:47 ` Konstantin Ryabitsev
2020-02-26 20:11 ` Jason Gunthorpe
2020-02-26 20:42 ` Konstantin Ryabitsev
2020-02-26 21:04 ` Jason Gunthorpe
2020-02-26 21:18 ` Konstantin Ryabitsev
2020-02-27 1:23 ` Jason Gunthorpe
2020-02-27 4:11 ` Jason A. Donenfeld
2020-02-27 10:05 ` Geert Uytterhoeven
2020-02-27 13:30 ` Jason A. Donenfeld
2020-02-27 14:29 ` Konstantin Ryabitsev
2020-02-28 1:57 ` Jason A. Donenfeld
2020-02-28 2:30 ` Jason A. Donenfeld
2020-02-28 18:33 ` Konstantin Ryabitsev
2020-02-28 17:54 ` Konstantin Ryabitsev
2020-03-06 16:53 ` Geert Uytterhoeven [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMuHMdVGD3GM8e29VM8brr8xiYFoL9uyY9ywMXfBpnZ5tCA1PQ@mail.gmail.com \
--to=geert@linux-m68k.org \
--cc=Jason@zx2c4.com \
--cc=konstantin@linuxfoundation.org \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).