From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Arif Khokar <arif_khokar@hotmail.com>
Cc: "Philip Oakley" <philipoakley@iee.org>,
"Duy Nguyen" <pclouds@gmail.com>, "Jeff King" <peff@peff.net>,
"Stefan Beller" <sbeller@google.com>,
"meta@public-inbox.org" <meta@public-inbox.org>,
"git@vger.kernel.org" <git@vger.kernel.org>,
"Eric Wong" <e@80x24.org>, "Jakub Narębski" <jnareb@gmail.com>
Subject: Re: Working with public-inbox.org [Was: [PATCH] rev-parse: respect core.hooksPath in --git-path]
Date: Fri, 26 Aug 2016 10:08:24 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1608261007050.4924@virtualbox> (raw)
In-Reply-To: <DM5PR17MB13536B19149ABF86ECD07E1AD3ED0@DM5PR17MB1353.namprd17.prod.outlook.com>
Hi Arif,
On Thu, 25 Aug 2016, Arif Khokar wrote:
> On 08/25/2016 09:01 AM, Johannes Schindelin wrote:
> >
> > On Thu, 25 Aug 2016, Arif Khokar wrote:
>
> >>> I considered recommending this as some way to improve the review
> >>> process. The problem, of course, is that it is very easy to craft
> >>> an email with an innocuous patch and then push some malicious patch
> >>> to the linked repository.
> >>
> >> It should be possible to verify the SHA1 of the blob before and after
> >> the patch is applied given the values listed near the beginning of
> >> the git diff output.
> >
> > There is no guarantee that the SHA-1 has not been tampered with.
>
> I was implying that the resulting SHA1 of the blob after the malicious
> patch was applied would differ compared to the resulting blob after
> applying the innocuous patch. Even if you alter the SHA1 value within
> the patch itself, it doesn't change the SHA1 of the result (unless
> you're able to get a hash collision).
>
> But, if you want to guarantee that the SHA1 hasn't been tampered in the
> email, you could sign it with your private GPG key and others could
> verify the signature with your public key (assuming the web-of-trust
> applies).
Given that I try to convince my fellow core Git developers to adopt an
*easier* patch submission process, that wastes less of contributors' time,
I would be strongly opposed to requiring a web of trust and GPG signatures
just to be able to submit patches to git.git.
Ciao,
Johannes
next prev parent reply other threads:[~2016-08-26 8:08 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-16 16:55 Working with public-inbox.org [Was: [PATCH] rev-parse: respect core.hooksPath in --git-path] Stefan Beller
2016-08-16 17:10 ` Junio C Hamano
2016-08-16 17:20 ` Jeff King
2016-08-16 17:54 ` Junio C Hamano
2016-08-16 17:22 ` Stefan Beller
2016-08-16 17:47 ` Junio C Hamano
2016-08-16 20:44 ` Eric Wong
2016-08-16 20:56 ` Eric Wong
2016-08-18 12:42 ` Johannes Schindelin
2016-08-18 20:49 ` Eric Wong
2016-08-18 21:41 ` Junio C Hamano
2016-08-19 15:18 ` Johannes Schindelin
2016-08-19 15:30 ` Johannes Schindelin
2016-08-19 16:55 ` Stefan Beller
2016-08-19 22:35 ` Eric Wong
2016-08-22 13:38 ` Johannes Schindelin
2016-08-22 19:21 ` Jeff King
2016-08-19 22:35 ` Eric Wong
2016-08-22 13:18 ` Johannes Schindelin
2016-08-22 18:05 ` Jakub Narębski
2016-08-25 13:21 ` Johannes Schindelin
2016-08-28 18:23 ` Jakub Narębski
2016-08-29 10:46 ` Johannes Schindelin
2016-08-22 22:55 ` Eric Wong
2016-08-25 12:58 ` Johannes Schindelin
2016-08-27 22:38 ` Jakub Narębski
2016-08-28 8:36 ` Working with public-inbox.org Johannes Schindelin
2016-08-28 11:41 ` Jakub Narębski
2016-08-29 5:35 ` Johannes Schindelin
2016-08-19 15:03 ` Working with public-inbox.org [Was: [PATCH] rev-parse: respect core.hooksPath in --git-path] Jeff King
2016-08-20 19:57 ` Jakub Narębski
2016-08-23 4:47 ` Arif Khokar
2016-08-24 15:34 ` Johannes Schindelin
2016-08-24 18:49 ` Eric Wong
2016-08-24 19:12 ` Jeff King
2016-08-24 19:27 ` Eric Wong
2016-08-25 3:40 ` Arif Khokar
2016-08-25 2:41 ` Arif Khokar
2017-02-10 16:10 ` Johannes Schindelin
2017-02-13 5:52 ` Arif Khokar
2017-02-13 14:37 ` Johannes Schindelin
2017-02-14 3:56 ` Arif Khokar
2017-02-14 3:59 ` Arif Khokar
2017-02-14 7:13 ` Eric Wong
2017-02-13 19:21 ` Junio C Hamano
2017-02-14 3:55 ` Arif Khokar
2017-02-14 4:41 ` Junio C Hamano
2017-02-14 5:09 ` Arif Khokar
2017-02-14 5:14 ` Jeff King
2016-08-22 13:06 ` Johannes Schindelin
2016-08-22 13:15 ` Duy Nguyen
2016-08-22 20:38 ` Philip Oakley
2016-08-24 13:04 ` Johannes Schindelin
2016-08-24 19:16 ` Eric Wong
2016-08-25 13:08 ` Johannes Schindelin
2016-08-25 3:57 ` Arif Khokar
2016-08-25 13:01 ` Johannes Schindelin
2016-08-25 23:14 ` Arif Khokar
2016-08-26 8:08 ` Johannes Schindelin [this message]
2016-08-27 22:26 ` Jakub Narębski
2016-08-28 8:38 ` Johannes Schindelin
2016-08-28 13:45 ` Announcing Git User's Survey 2016 [was: Working with public-inbox.org] Jakub Narębski
2016-09-09 13:06 ` Johannes Schindelin
2016-09-09 18:51 ` Jakub Narębski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1608261007050.4924@virtualbox \
--to=johannes.schindelin@gmx.de \
--cc=arif_khokar@hotmail.com \
--cc=e@80x24.org \
--cc=git@vger.kernel.org \
--cc=jnareb@gmail.com \
--cc=meta@public-inbox.org \
--cc=pclouds@gmail.com \
--cc=peff@peff.net \
--cc=philipoakley@iee.org \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).