RFE: use patchwork to submit a patch

Theodore Y. Ts'o tytso at mit.edu
Tue Oct 15 00:53:58 AEDT 2019 

On Mon, Oct 14, 2019 at 10:41:32AM -0300, Mauro Carvalho Chehab wrote:
> It can still have man-in-the-middle (MITM) attacks between the sender and
> vger.kernel.org. Please notice that using https and adding the patch
> via a web interface can also be subject to MITM, as companies and even some
> Countries with strong policy enforcement may have some gateway on their
> infra that will prevent end-to-end encryption[1], blocking direct
> client-server https tunnels.
> 
> [1] They add an internal certificate to the browsers, so that the client
> will see the connection as trustful, but the infra will actually do two
> separate HTTPS encryption:
> 
> 	client  ---> Gateway
> 	Gateway ---> Server
> 
> While unlikely, nothing prevents that the patch would be maliciously 
> altered at the Gateway.
> 
> From security PoV, the only way to ensure that the patch was not
> altered is to have it signed by the one who wrote it.

Well, sure, but the maintainer should be reviewing the patch looking
for problems anyway.  There is the risk that people might slap a
"Reviewed-by:" tag on a patch without sufficiently careful review if
it's from a prominent kernel contributor, but we've always had that
problem.  And so nothing, not even a digitally signed patch from a
reviewer should absolve the maintainer from doing their own review.

Now, one might argue that if there is a forged patch from "famous
kernel developer A", followed up with a forged patch from "famous
kernel developer B", that might cause a maintainer to happily take the
patch without doing their own, independent review, for scaling
reasons.  But that's a "vulernability" we've lived with for a long
time, since today neither patches or "Reviewed-by" messages are
usually signed.

And at least (as far as we know) no one has managed to sneak a
malicious patch with a zero-day hidden with malice aforethought.  And
perhaps that shouldn't be surprising.  We seem to be quite capable of
introducing our own security vulererabilities without "help", so
perhaps most malicious attackers wouldn't want to do something which
could be so easily detected, when they can just pay money to a black
hat hacker.

	       	    	     	       - Ted

More information about the Patchwork mailing list