On Fri, Feb 28, 2020 at 2:58 AM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote:
> It doesn't help with the reverse scenario, where what's in the
> developer's inbox or displayed on the lore webserver running a
> backdoored nginx doesn't match the patches that they eventually apply.
> That might seem like an unrealistic attack scenario, but then think
> about it combined with the get-lore-mbox feature to grab the latest
> patchset version and other similar shenanigans. Or, maybe Eve reposts
> v1 as v20, and this mailing list thread convinces you to ignore the
> [PATCH vX] from the metadata hash, or maintainers don't care about
> that hash verifying anyway since it tends to get mangled.
Or different patches with the same subject.
Recently, I accidentally send out a patch with the wrong subject, which
matched an older patch.
"get-lore-mbox.py 20200218112557.5924-1-geert+renesas@xxxxxxxxx"
downloads the new thread, plus the email with the old patch with the same
one-line summary.
Worse, "get-lore-mbox.py -a 20200218112557.5924-1-geert+renesas@xxxxxxxxx"
selects the old patch instead of the new one, despite the exact Message-ID
match on the command line. Fortunately "git am" complained, as the old
patch had already been applied.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
