RFE: use patchwork to submit a patch
toke at redhat.com
Tue Oct 15 00:18:01 AEDT 2019
"Theodore Y. Ts'o" <tytso at mit.edu> writes:
> On Mon, Oct 14, 2019 at 12:42:36PM +0200, Toke Høiland-Jørgensen wrote:
>> It should be detectable, though, right?
>> Say you have two independently administered patchwork instances (or even
>> better, two different software packages entirely) that both subscribe to
>> the mailing lists, and compare patch content with each other. They
>> should at least be able to detect mismatches. Especially if you add a
>> sanity check before discarding duplicate message-ids.
> They don't even need to compare against each other; patchwork is about
> to add a feature where you can look up patches via message-id, right?
> That means it's easy enough to write a program which fetches patches
> from patchwork, and compares it to the patches found in
> lore.kernel.org. If they don't match, then an alarm can be sounded.
Yeah. I guess what is needed is to go from "can be" to "will be" (as
Daniel pointed out in his simultaneous reply).
>> This way you'd need to compromise multiple machines to achieve the kind
>> of compromise you're worried about. And you can add more independent
>> machines until you're satisfied that the risk is low enough :)
> Yep, exactly. This is basically the theory behind Certificate
> Transparency, applied to patches.
Indeed I'm familiar with certificate transparency, so this was certainly
not an idea conceived in a vacuum ;)
More information about the Patchwork