lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHk-=wgcQdD0UzMJrNhQuYAC2wgGtfrCry_iokswaEE5j7W9YA@mail.gmail.com>
Date: Sun, 1 Jun 2025 10:12:02 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Konstantin Ryabitsev <konstantin@...uxfoundation.org>
Cc: Kees Cook <kees@...nel.org>, linux-kernel@...r.kernel.org, 
	Eric Biggers <ebiggers@...nel.org>, Ingo Saitz <ingo@...nover.ccc.de>, 
	kernel test robot <oliver.sang@...el.com>, Marco Elver <elver@...gle.com>, 
	Nathan Chancellor <nathan@...nel.org>, Thiago Jung Bauermann <thiago.bauermann@...aro.org>
Subject: Re: [GIT PULL] hardening fixes for v6.16-rc1

On Sun, 1 Jun 2025 at 07:40, Konstantin Ryabitsev
<konstantin@...uxfoundation.org> wrote:
>
> On Sun, Jun 01, 2025 at 12:42:14AM -0700, Kees Cook wrote:
> > Okay, reproducing the "b4 trailers" steps:
> > ...
> > ### Try to update 8c2bb7d12601 with the Acked-by from the list...
> > $ b4 trailers -u https://lore.kernel.org/all/CANpmjNPpyJn++DVZmO89ms_HkJ0OvQzkps0GjCFbWkk0F+_8Xg@mail.gmail.com
> > Finding code-review trailers for 39 commits...
>
> Yeah, this is danger territory, because you're asking to update a random
> commit in the tree history.

So the *real* danger territory is lying about committer information.
That's the thing that *no* standard too should ever do, and what made
me so upset.

Konstantin, can you please fix b4 to never *ever* rewrite a commit
that has different committer information than the current user?

I don't think this is about "39 commits down". This is apparently b4
just doing plain bad things, adn it would be bad even if it was only
rewriting the top-most commit.

Setting authorship to somebody else is normal and expected: "author"
is about giving credit.

But setting *committer* information to somebody else is not about
giving credit, it's about lying. Tools that do that are broken tools.

I'm also not clear on why apparently the script tries to retain
committer dates. That's also just plain lying.

> I will reinstate Kees's account so he can resume his work.

Yeah, I see the updated pull request,

         Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ