Fixes for verify-commits script #7713
Conversation
|
utACK 6d1016f |
|
utACK |
|
|
||
| DIR=$(dirname "$0") | ||
|
|
||
| echo "Please verify all commits in the following list are not evil:" |
There was a problem hiding this comment.
Did you intend to remove this message?
|
Ping @TheBlueMatt |
|
Which features are bash-specific (I'm pretty sure we went through this when it was merged, and there were none left)? We should just remove the bash-specific ones, not revert to forcing bash. |
|
Also, I do prefer to not remove the commits list message...its not there to prevent someone who has malicious access to the repo, its there to encourage people to audit the commits that were merged. If you prefer, just replace with it a notice to tell people to run git log on contrib/verify-commits manually. |
|
@TheBlueMatt The two constructs that don't seem to work with /bin/sh are: |
|
@TheBlueMatt Again, if you want to encourage people, do it in a README file or similar which doesn't give the wrong impression about what's the right way to do it. Anyway, the necessity to audit the codebase in general should be something every security conscious developer should be aware of; calling out this program specifically may in itself give people the wrong impression. |
|
utACK 6d1016f543837fe3c7b0a48573771f4b17e35ff5 |
6d1016f to
e2764cb
Compare
|
@sipa Sorry, just rebased and added one more commit. |
|
ACK e2764cb23826908bde171067fc5d0b0659b18952 |
|
utACK e2764cb |
|
NACK. Please fix the two bash-isms instead of requiring bash, and avoid adding more OS-specificisms with GNU-isms (which aren't even in some BSDs). Feel free to move the warnings to a README file of somesort, though. |
|
@TheBlueMatt I don't know enough about bash to know what needs to be fixed or how; if you'd like to suggest some changes please do. But if it's not going to get fixed I'd rather the failure be clear - "bash is needed and isn't installed" - than unclear. |
|
The three commits at https://github.com/TheBlueMatt/bitcoin/commits/2016-20-7713-fixes should replace your top three just fine. |
Any attacker who managed to make an evil commit that changed something in the contrib/verify-commits/ directory could just as easily remove the warning and/or modify it to not display the evil commits; telling the user to check those commits specifically misleads them into checking just those commits rather than the script itself.
Also updated trusted git root to be right after gmaxwell's last merge.
e2764cb to
11164ec
Compare
|
Incorporated @TheBlueMatt's /bin/sh fixes, so no longer depending on bash again. |
|
reACK 11164ec (is it me, or is it obviously slower now?) |
|
Please do leave the warning telling people to check git log in... making people see it every time until it's removed definitely has value. If not it should be added to a README somewhere. On May 21, 2016 3:27:17 AM PDT, Gregory Maxwell notifications@github.com wrote:
|
|
@TheBlueMatt Git has had vulnerabilities before (example) where even just checking out source is sufficient to pwn your system; if you can run git log on the verify-commits directory it may be too late. If we're going to be giving advice on how to use verify-commits we should do it properly; for now removing that advice is very appropriate given that it's misleading at best. |
|
I find it rather unlikely that git log would have a vulnerability that cant also be triggered by some other checkout/pull/etc flow. I dont think telling people to run git log is bad advice here. |
|
Please add the warning back in. Seems otherwise we don't get agreement here to merge this. Its removal can be discussed separately. |
cf5c842 to
60a6b13
Compare
|
Added README explaining how to use verify-commits.sh safely; this should answer @TheBlueMatt's objection to removing the warning. |
60a6b13 to
966151e
Compare
|
Tested ACK (checked out this branch in one worktree, master in another, verified master using the code from this branch). |
|
Anything left to do here? |
|
@MarcoFalke IMO it's ready for merging. |
|
"This is an incomplete work in progress," It is? I'd say it works pretty well for its goals? On June 16, 2016 3:53:32 AM PDT, Peter Todd notifications@github.com wrote:
|
|
Also you might want to note that you can run git log with paths to get a list of changes to that path in the README, just because it's useful for these scripts and not really an obvious feature that everyone is aware of. On June 16, 2016 3:53:32 AM PDT, Peter Todd notifications@github.com wrote:
|
|
Can we please finish this? |
|
@laanwj I think we can improve the wording of the doc later. |
|
I mean I think the README is just wrong right now? We could have also taken the easy solution of splitting out the contentious change. On June 17, 2016 4:01:23 AM PDT, MarcoFalke notifications@github.com wrote:
|
| @@ -1,8 +1,5 @@ | |||
| 71A3B16735405025D447E8F274810B012346C9A6 | |||
| 1F4410F6A89268CE3197A84C57896D2FF8F0B657 | |||
There was a problem hiding this comment.
Nit: I think you can remove this line and clear allow-revsig-commits.
There was a problem hiding this comment.
Sorry, which line specifically?
Good point re: allow-revsig
There was a problem hiding this comment.
gpg --list-key --fingerprint 1F4410F6A89268CE3197A84C57896D2FF8F0B657 returns revoked key by @sipa. Once the commits signed by this key are buried under the trusted root, you could get rid of those lines in allow-revsig-commits.
|
@TheBlueMatt Sorry, but I'm kinda mystified why you think the README is wrong; I don't see it as controversial at all to describe this functionality as incomplete, given that we definitely need a convenient way for users to verify commits safely, prior to accidentally checking out repos and possibly running malicious code. I think it's good to point that out in the hope that others continue this starting point - and it's work that many other projects need as well (I personally use verify-commits in python-bitcoinlib, as well as some internal-use-only repos). |
Now that the trusted root is past all commits signed by that key we don't need it in the trusted-keys list, nor do we need to whitelist those commits in allow-revsig-commits
|
@MarcoFalke Fixed your nit re: sipa's old key. |
|
ACK 1e9aab0 Readme seems fine to me. |
|
utACK 1e9aab0.
I think the readme could be fixed later, if desired.
|
1e9aab0 Remove sipa's old revoked key from verify-commits (Peter Todd) 966151e Add README for verify-commits (Peter Todd) 11164ec Remove keys that are no longer used for merging (Peter Todd) 22421fa Remove pointless warning (Peter Todd) 9523e8a Make verify-commits path-independent (Matt Corallo) f7d4a25 Make verify-commits POSIX-compliant (Matt Corallo)
1e9aab0 Remove sipa's old revoked key from verify-commits (Peter Todd) 966151e Add README for verify-commits (Peter Todd) 11164ec Remove keys that are no longer used for merging (Peter Todd) 22421fa Remove pointless warning (Peter Todd) 9523e8a Make verify-commits path-independent (Matt Corallo) f7d4a25 Make verify-commits POSIX-compliant (Matt Corallo)
1e9aab0 Remove sipa's old revoked key from verify-commits (Peter Todd) 966151e Add README for verify-commits (Peter Todd) 11164ec Remove keys that are no longer used for merging (Peter Todd) 22421fa Remove pointless warning (Peter Todd) 9523e8a Make verify-commits path-independent (Matt Corallo) f7d4a25 Make verify-commits POSIX-compliant (Matt Corallo)
Tried to use it for another project and ran into some issues getting it to work on Debian 8