[FFmpeg-devel] rebasing security

Michael Niedermayer michael at niedermayer.cc
Sun Aug 3 21:08:58 EEST 2025 

Hi

On Sun, Aug 03, 2025 at 05:38:26PM +0200, Timo Rothenpieler wrote:
> On 8/3/2025 5:31 PM, Michael Niedermayer wrote:
> > Hi
> > 
> > The "on server rebase" process that we are using with forgejo looks a bit insecure
> > 
> > Previously we wrote code, discussed and then signed and pushed
> >      In this setup the code coming from a developer is not manipulatable
> >      because noone else can sign it
> >      Even if its not signed, stuff would light up if the
> >      server suddenly changed your pushed commits, as local and
> >      remote would not match
> > 
> > The current workflow is to create a merge request and up to that we
> > are good.
> > 
> > The problem, the code is then sometimes rebased on the server, this removes
> > all signatures and allows arbitrary changes to happen. And that is, after
> > all reviews.
> > 
> > in the ML based system, a supply chain attack would have to hit author and
> > all reviewers.
> > With webapp rebasing a point after the reviews can introduce a change stealthy
> > 
> > The solutions are obvious:
> > 1. ignore security and supply chain attacks
> > 2. use merges not rebases on the server
> > 3. rebase locally, use fast forward only
> > 4. verify on server rebases
> > 
> > whats the oppinon of people about merging instead of rebasing ?
> > Theres also non security arguments in favor of merges:
> >      https://lkml.org/lkml/2008/2/12/627
> > 
> > That said, i think "verify on server rebases" is possible, just not
> > something i have heard off before.
> > 
> > am i missing something ?
> > 
> > thx
> > 
> 
> I can change the setting from "Rebase and merge to FF Only", though that
> would be very tedious to deal with for everyone involved.

that would be "3." in my list and yes it would be tedious, I think the main
question is about the 2./4. options (or if iam missing something)


> 
> Forgejo can keep commit signatures intact if proper keys are configured for
> the users.

Forgejo certainly should have its own key to sign commits it generates.
But it cannot have any individual developers private key.

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250803/6ceac2fd/attachment.sig>

More information about the ffmpeg-devel mailing list