From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS8075 65.52.0.0/14 X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from BAY004-OMC1S16.hotmail.com (bay004-omc1s16.hotmail.com [65.54.190.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id A8CB81F859 for ; Thu, 25 Aug 2016 23:16:22 +0000 (UTC) Received: from NAM04-CO1-obe.outbound.protection.outlook.com ([65.54.190.61]) by BAY004-OMC1S16.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 25 Aug 2016 16:16:22 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hYTutAD5f7oGbl4uYKXEmB7qYD35lz1e7psqeOYW4is=; b=iS7QdqAe/PHomyqPiSrP8Ke+BQTVdYEimyoSXBPiXoNw7WUrlEkN5Fke0EE238OcGbwXyXoAbvclECqp2u4eDoyhBUXbYCRrySHjvW6TWtlytI22JVywe3fha4VJc/yyitJI5HpqdandA8yNji2Pz68JvYu1eh89/ssEkL9z80MDYC5PIz2S1mJ1+9mu/+Vbe8/b0vOq7QqnwV5Cp6X5VwOCTuLx0TMqbc3Zam9w9AVu5CzfLFF9w7rmC9aviKxT6rwj3Qs/K0lMvCLxeQdmfjbjmJJMC8mMFcCqvOeKoGcDg2h5FAjgY51O+U9cv4Q3NGex3TnjPMNucGvg9OyMig== Received: from CO1NAM04FT044.eop-NAM04.prod.protection.outlook.com (10.152.90.55) by CO1NAM04HT147.eop-NAM04.prod.protection.outlook.com (10.152.91.160) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.6; Thu, 25 Aug 2016 23:14:14 +0000 Received: from DM5PR17MB1353.namprd17.prod.outlook.com (10.152.90.56) by CO1NAM04FT044.mail.protection.outlook.com (10.152.91.95) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.6 via Frontend Transport; Thu, 25 Aug 2016 23:14:13 +0000 Received: from DM5PR17MB1353.namprd17.prod.outlook.com ([10.173.134.15]) by DM5PR17MB1353.namprd17.prod.outlook.com ([10.173.134.15]) with mapi id 15.01.0587.013; Thu, 25 Aug 2016 23:14:12 +0000 From: Arif Khokar To: Johannes Schindelin , Arif Khokar CC: Philip Oakley , Duy Nguyen , "Jeff King" , Stefan Beller , "meta@public-inbox.org" , "git@vger.kernel.org" , Eric Wong , =?iso-8859-2?Q?Jakub_Nar=EAbski?= Subject: Re: Working with public-inbox.org [Was: [PATCH] rev-parse: respect core.hooksPath in --git-path] Thread-Topic: Working with public-inbox.org [Was: [PATCH] rev-parse: respect core.hooksPath in --git-path] Thread-Index: AQHR/oTQoDDm3GKhNU2i1oir7XokSKBZpG8AgACrRoA= Date: Thu, 25 Aug 2016 23:14:12 +0000 Message-ID: References: <20160819150340.725bejnps6474u2e@sigill.intra.peff.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-slblob-mailprops: /ntUcd07dacmlOoJ3PQeQo9UeCS79dSL735+bGmlo5Q66pqmy3ExsX81NluDC51UO2UCD4RjpugBcE10rdkCB/sALJPjjAUgHT6tLUdk/CFhpeLzsu2FwiSEk/wJktTcdjlmGhCfO3b7ezsz1N80gWkv0H+tSlTkjH8YXA0On2ug2ofCFaviFQgiu/YFu/0e4OMIkFDXgykvt3MMXWeZx5w0W7nENyLRa3WrAvSGu/f6T0/X1ReRfPU0U8v/WTxM1AGit5SkKGCXsU1V104Xws+PLyc4NA7yDYsaQr+0vyNTIHEu62Hwa57JIQYBy4Cnea1m2ecgO7axHuClHE8tju0BWjqtkKSvoTo/0wOYcnWvbAmtnF3BXZ4aqHokIok6Xc1+FC1cSMnpI+4OJnc+96v7/YctSV3qtH9DIQoASbAUhbzR8Z3IAPcgAhUqxwrjjUHLXZgFqYQQGMswfhf4XnacwacqzJVqammoibZBYbjtFcPX97cP7KlFaLHKPY/PrdCqIicoT/C1xKdkOD43iAhce1byn5u/jWPqkGiHIBgd5jma5dJkeBy315XJ0TQeS2YE+oelp4gi/b941jP4k2uROef6t7Awn238AaHT29Vqelz2IrE0t8whcnYYnp1a+WXtZ5EZ+eAD/nX8LPY8SqkZFhgBGt4CAWi6iTsoq9nesJUGnc1CUI6TiPQBlZzvd9Slv4PYZi/KrrMrMakRo8a1NkAc/3dX authentication-results: spf=softfail (sender IP is 10.152.90.56) smtp.mailfrom=hotmail.com; gmx.de; dkim=none (message not signed) header.d=none;gmx.de; dmarc=fail action=none header.from=hotmail.com; received-spf: SoftFail (protection.outlook.com: domain of transitioning hotmail.com discourages use of 10.152.90.56 as permitted sender) x-ms-exchange-messagesentrepresentingtype: 1 x-eopattributedmessage: 0 x-forefront-antispam-report: CIP:10.152.90.56;IPV:NLI;CTRY:;EFV:NLI;SFV:NSPM;SFS:(10019020)(98900003);DIR:OUT;SFP:1102;SCL:1;SRVR:CO1NAM04HT147;H:DM5PR17MB1353.namprd17.prod.outlook.com;FPR:;SPF:None;LANG:en; x-microsoft-exchange-diagnostics: 1;CO1NAM04HT147;6:snCocI3sXMwLXFfRpPj/v97P3xIV8n3PGB18IFUYhW8Vs2XWz9N3sbLr0zadj6lsxyAsPpugO5iU1PX4nZWbwUnsEiPNFERKGzW5WfqhncHhbEGmoDpoaBYUiP50FAXN5DSjXkOZ1r1qk2Cch9ftzyE2wP5gsJqVhoMhLsiPSkodMqB5Rar+0PkMdHdWHbkaSV4jWoTZtHfiCDxP2N4kUGWVYtfZagatcoQmN7fI3OixndRIvJ3pxjjWGzkQ7J0qghSvtJwxd0MpH9jzCbwqgUKU489RJ1nRQO5Q3J0nN8zZRvzWGQmPXUOAsQzjB2QVGUf4fpWeoZpGhxzjKjqpbw==;5:XNiq1S6pGKtLTX7QASzjteahSiUaAPfSTD9ufE4IQD2YTIleD1RwheRLFFPNfsrltY9tCkTnPA45TbA8GICz50XCp6Y5G9uH9bjRi1KiFQ8SevozLtkc5Mp/OYdIGIPKJObhPuUk2SOR69yiDUS/IA==;24:zxUfnZ8CuMkuEFXJEy+plR8x1mKlCMVsq6gGY5myOIR9x68lRxJf1ajsKUzohEA3l/jDUiF+NuxdfKuFI7TvkzWOdvdWE+t1BXYDNIHT/JY=;7:ZIp2fSrnAKccquvTmeXSaaEFowZbRA88OgqTmIH6U8sBuoVadi21CMnfoZ7yoyUxLXFmr3+QRGCKfrp6B+98DyvMFEbiSfZxTbXwblJAeOPWsAgtd71jbQKXfsQIBiFb6oGWlf4eES0TH0eTwVcox2Pis2y4Ptn1tezboUXRnltfOBjPC1ws+oTHzCzYyWwDKYHEDFksPmU0EFSzn/JbpapAHN8y/rXHsEh3YwBixYb5W51YK25p9wh0Xv0+LufB x-ms-office365-filtering-correlation-id: 9c7631fa-fec3-4f0c-dc3f-08d3cd3d84c2 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(1601124038)(1601125047);SRVR:CO1NAM04HT147; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(432015012)(82015046);SRVR:CO1NAM04HT147;BCL:0;PCL:0;RULEID:;SRVR:CO1NAM04HT147; x-forefront-prvs: 0045236D47 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-2" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2016 23:14:12.3777 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM04HT147 X-OriginalArrivalTime: 25 Aug 2016 23:16:22.0205 (UTC) FILETIME=[B17CEED0:01D1FF26] List-Id: On 08/25/2016 09:01 AM, Johannes Schindelin wrote: > Hi Arif, > > On Thu, 25 Aug 2016, Arif Khokar wrote: >>> I considered recommending this as some way to improve the review proces= s. >>> The problem, of course, is that it is very easy to craft an email with = an >>> innocuous patch and then push some malicious patch to the linked >>> repository. >> >> It should be possible to verify the SHA1 of the blob before and after >> the patch is applied given the values listed near the beginning of the >> git diff output. > > There is no guarantee that the SHA-1 has not been tampered with. I was implying that the resulting SHA1 of the blob after the malicious=20 patch was applied would differ compared to the resulting blob after=20 applying the innocuous patch. Even if you alter the SHA1 value within=20 the patch itself, it doesn't change the SHA1 of the result (unless=20 you're able to get a hash collision). But, if you want to guarantee that the SHA1 hasn't been tampered in the=20 email, you could sign it with your private GPG key and others could=20 verify the signature with your public key (assuming the web-of-trust=20 applies).