From: Lundkvist Per <per.lundkvist@saabgroup.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: "git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: [EXTERNAL] Re: Soundness of signature verification excluding unsigned empty merges
Date: Wed, 22 Mar 2023 11:50:47 +0000 [thread overview]
Message-ID: <cf655e6bcf7248a393b8bfb89bc5833a@saabgroup.com> (raw)
In-Reply-To: <xmqqmt46jbrg.fsf@gitster.g>
Junio C Hamano wrote:
> Lundkvist Per <per.lundkvist@saabgroup.com> writes:
>
> > But it seems like if we allow unsigned empty merge commits, i.e. those that
> > themselves do not introduce any any other change than what its parents
> > introduce, and require all other commits to be properly validated, then we can
> > safely validate the whole repository?
>
> Depends on what you are trying to protect against, I would think.
>
> Two tl;dr of it are
>
> * a merge that does "not introduce any other change than what its
> parents introduce" can still cause harm to the codebase.
>
> * a merge that introduces other changes may very well be necessary
> to merge two histories.
>
> Each commit signed by known/authorized people is simple. But what
> does it mean for them to sign an individual commit in the first
> place? "I wrote it" is too naive an answer ;-)
>
> A commit that is perfectly good in one context may cause the
> codebase to do a totally wrong thing in a different context, so your
> sign on the commit itself may assure others that you as the area
> expert vouches for the change in its original context, but will that
> signature be good enough to hold you responsible for the catastrophe
> it may cause by merging the history leading to the commit to a
> history that has forked from the original one long ago?
OK, got it. For certain type of commits there may be opportunities in time where
it is possible to reintroduce these old signed commits cleanly with an unsigned
merge, and this is a type of attack this validation strategy would not protect
against.
Thanks!
next prev parent reply other threads:[~2023-03-22 11:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-21 10:32 Soundness of signature verification excluding unsigned empty merges Lundkvist Per
2023-03-21 16:43 ` Junio C Hamano
2023-03-22 11:50 ` Lundkvist Per [this message]
2023-03-22 1:41 ` Elijah Newren
2023-03-22 12:14 ` [EXTERNAL] " Lundkvist Per
2023-03-23 1:49 ` Elijah Newren
2023-03-23 9:55 ` Lundkvist Per
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cf655e6bcf7248a393b8bfb89bc5833a@saabgroup.com \
--to=per.lundkvist@saabgroup.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).