On Tue, Mar 17, 2020 at 06:51:38PM -0400, Paul Moore wrote: > You might want to extend this test to the LSM list as well. I'm > refraining from CC'ing them on this email because I don't want to > spoil your beta test rollout, but I think it would be a good thing to > do. I'll do that, thanks! I'll also loop in kernel-hardening folks. > Speaking as the person who merges patches for both the SELinux and > audit kernel subsystems, I look at every patch I merge; I don't > blindly merge patches (even from certain "trusted" individuals). > Simply put, I've always considered that to be part of the job. While > the patch attestation could provide some assurance about who created > the patch (assuming a reasonable web-of-trust), and that it hadn't > been tampered with, I feel it is more important to review correctness > than it is to guarantee provenance. If you ever develop a tool which > can help with the correctness part, I'll gladly jump to the front of > the line to test that one! ;) Yes I understand -- I view this as an auxiliary feature that helps maintainers in their duties, but certainly doesn't aim to replace due diligence. I am most worried about the following scenario: 1. a maintainer receives a long series of patches that arrives into their inbox 2. they carefully review the patches and decide to merge them 3. they use "b4 am" to grab that patch series from lore.kernel.org 4. however, the archive has been manipulated and returns patches containing malicious edits, which get merged because the maintainer assumes that what "b4 am" returns is the same as what they reviewed Cryptographic attestations helps hedge against this scenario by removing any implicit trust from the centralized system like lore.kernel.org (or patchwork.kernel.org, for that matter). > Having said that, I'm happy to see work going into tools like this, > and at some point I'll look into adding it into my workflow for an > extra level of safety (although I'm on the fence about making it > mandatory for submissions). Sorry to disappoint, but I'm probably not > the best test monkey right now. All good, this is why I'm casting the net wide looking for initial adopters. :) Best regards, Konstantin
