On Thu, Feb 27, 2020 at 6:05 PM Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> wrote: > How would the commit base help here? It would indicate this is an old > patch, which would be indicated by the signature date, too. For email, not much, since the patch is always disconnected. The point is that this isn't a problem when verifying commits inside of git itself because the signatures are over the commit's position in the tree, so you can't reorder or rearrange commits. Not necessarily an applicable solution here, but worth noting that other setups don't encounter the same problem due to other, larger, design decisions. > The only thing that would help is time-limiting the window between > attestation and application. Sure, one can draw up a few bandaids for this, such as: big red text saying "warning, this commit is kind of old", which of course means its date needs to be included in the metadata signature, and accurate too. Maybe there are other bandaids. Or this is just a fundamental issue with disconnected by-email patches that we'll have to live with.
