On Mon, Oct 14, 2019 at 11:28:59AM -0300, Mauro Carvalho Chehab wrote:
Yeah, our current security model is based at the maintainer for
him to do his duties, properly reviewing the patch.
Yet, at the example that Daniel gave:
Instead of:
if ((permissions == allowed) && other_stuff) {
do_things();
}
do_more_stuff(permissions);
Patch was maliciously modified to:
if ((permission == allowed) && other_stuff) {
do_things();
}
do_more_stuff(permissions);
I suspect that a change like that might sleep though the maintainer's
review.
I submitted a proposal to the git list that would address this, but it
saw little uptake in the discussion:
https://public-inbox.org/git/20190910121324.GA6867@pure.paranoia.local/t/#u
To summarize it in brief, I suggested using minisign signatures and
git-tracked TOFU (trust on first use) databases. TOFU is not perfect,
but it's better than nothing at all, which is what we have right now.
-K
_______________________________________________
Patchwork mailing list
Patchwork@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/patchwork
