From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Don Zickus <dzickus@redhat.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
ksummit@lists.linux.dev
Subject: Re: [Tech Topic] Integrating GitLab into the Red Hat kernel workflow
Date: Mon, 12 Jul 2021 15:07:16 -0400 [thread overview]
Message-ID: <20210712190716.sbhboki2bms7dx5b@nitro.local> (raw)
In-Reply-To: <20210712135835.qgh7u5f7p2oy7cp5@redhat.com>
On Mon, Jul 12, 2021 at 09:58:35AM -0400, Don Zickus wrote:
> > - A single client where I can do all my review. With web-based UIs for
> > forges, you have to log in every forge for every project you work on.
> > That's one for github, one for gitlab, one for each self-hosted github
> > or gitlab instance (fd.o has a self-hosted public gitlab instance,
> > it's also common for large companies to have self-hosted private
> > instances), and I'm not counting gerrit instances or other forges.
> > It's painful, I want not only to get all the notifications in a single
> > client (that's already possible with e-mail notifications) but handle
> > review in a single client too.
>
> The biggest hurdle for reviews I see is un-authenticated email sent to an
> autenticated forge.
I'd be interested in exploring how this can be addressed. We can already do a
lot of it by relying on DKIM signatures, which should give you a significant
level of assurance that messages aren't forged (with caveats). If you create
the initial Message-Id with strong randomness on your end, then you could use
that together with the DKIM signature as a fairly reliable authentication
token. When receiving a follow-up message, you can check that:
1. the DKIM signature is valid
2. the References: header is included in signed headers (it almost always is)
3. the message-id in the References: field matches what you have on record
This should give you a pretty strong assurance that messages you receive are
valid and the From: field can be trusted.
Part of my end-to-end attestation work was to introduce the
X-Developer-Signature header that uses the DKIM standard with developers'
personal keys (https://pypi.org/project/patatt/). The biggest obstacle to
adoption with this scheme is making it possible to use it with regular mail
clients and not just git-send-email (especially the web clients), so I'm not
sure whether we can easily use this approach for more generic message
authentication.
-K
next prev parent reply other threads:[~2021-07-12 19:07 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 21:19 [Tech Topic] Integrating GitLab into the Red Hat kernel workflow Don Zickus
2021-07-07 21:42 ` Laurent Pinchart
2021-07-07 22:27 ` Don Zickus
2021-07-07 22:40 ` Laurent Pinchart
2021-07-08 21:04 ` Don Zickus
2021-07-10 22:38 ` Laurent Pinchart
2021-07-12 13:58 ` Don Zickus
2021-07-12 19:07 ` Konstantin Ryabitsev [this message]
2021-07-14 16:35 ` Don Zickus
2021-07-14 23:47 ` Laurent Pinchart
2021-07-09 14:59 ` ketuzsezr
2021-07-12 13:30 ` Don Zickus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210712190716.sbhboki2bms7dx5b@nitro.local \
--to=konstantin@linuxfoundation.org \
--cc=dzickus@redhat.com \
--cc=ksummit@lists.linux.dev \
--cc=laurent.pinchart@ideasonboard.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox