Hi On Sun, Aug 03, 2025 at 05:38:26PM +0200, Timo Rothenpieler wrote: > On 8/3/2025 5:31 PM, Michael Niedermayer wrote: > > Hi > > > > The "on server rebase" process that we are using with forgejo looks a bit > > insecure > > > > Previously we wrote code, discussed and then signed and pushed > > In this setup the code coming from a developer is not manipulatable > > because noone else can sign it > > Even if its not signed, stuff would light up if the > > server suddenly changed your pushed commits, as local and > > remote would not match > > > > The current workflow is to create a merge request and up to that we > > are good. > > > > The problem, the code is then sometimes rebased on the server, this removes > > all signatures and allows arbitrary changes to happen. And that is, after > > all reviews. > > > > in the ML based system, a supply chain attack would have to hit author and > > all reviewers. > > With webapp rebasing a point after the reviews can introduce a change > > stealthy > > > > The solutions are obvious: > > 1. ignore security and supply chain attacks > > 2. use merges not rebases on the server > > 3. rebase locally, use fast forward only > > 4. verify on server rebases > > > > whats the oppinon of people about merging instead of rebasing ? > > Theres also non security arguments in favor of merges: > > https://lkml.org/lkml/2008/2/12/627 > > > > That said, i think "verify on server rebases" is possible, just not > > something i have heard off before. > > > > am i missing something ? > > > > thx > > > > I can change the setting from "Rebase and merge to FF Only", though that > would be very tedious to deal with for everyone involved.
that would be "3." in my list and yes it would be tedious, I think the main question is about the 2./4. options (or if iam missing something) > > Forgejo can keep commit signatures intact if proper keys are configured for > the users. Forgejo certainly should have its own key to sign commits it generates. But it cannot have any individual developers private key. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Concerning the gods, I have no means of knowing whether they exist or not or of what sort they may be, because of the obscurity of the subject, and the brevity of human life -- Protagoras
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
