From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id sOfkHp4EamFyQAAAgWs5BA (envelope-from ) for ; Sat, 16 Oct 2021 00:45:50 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id eAeYGp4EamFvdwAAB5/wlQ (envelope-from ) for ; Fri, 15 Oct 2021 22:45:50 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 434D6ADCA for ; Sat, 16 Oct 2021 00:45:50 +0200 (CEST) Received: from localhost ([::1]:40962 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mbVxV-000246-Bc for larch@yhetil.org; Fri, 15 Oct 2021 18:45:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53012) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mbVxB-00022g-1v for guix-devel@gnu.org; Fri, 15 Oct 2021 18:45:29 -0400 Received: from mail-wr1-x442.google.com ([2a00:1450:4864:20::442]:43001) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mbVx8-0003Tr-M8 for guix-devel@gnu.org; Fri, 15 Oct 2021 18:45:28 -0400 Received: by mail-wr1-x442.google.com with SMTP id v17so28767732wrv.9 for ; Fri, 15 Oct 2021 15:45:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=PlKaho7nIcd0JlzG0z1w6YDHoGz+tAlevr5ban5k1pc=; b=Nu5mEoJnh+/rr7Y52/j9OOrtpCrfpU1sWsmMAzy5fEBKrhujU9CVFU9dW/VuxViR4a 9WC7Po4+CeyNNtEHY7Km7TaaUfHdl2AX2MI63Hfm+PHIPWo5C0GLRWls4AwSsCvOtRyQ sJAoW0KGV4FH/Wo0cxPY8ZukWhOYmNRhtqD4LsC3yMor6Y7DoZvxOazOpWD6HBy0pubj AA/rQc98YKAmQNJS35IApvFXoRJGxTaT0Wb7MmeKRnSOU884cGyKLxb9CmWjZBgxPugW lWVMcTUXV5lstUdjhJkokWX8tobb2T3ipTU0idX7Z9V+xxeHEj6QCTMoA+px0kEMfMS+ v9BQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=PlKaho7nIcd0JlzG0z1w6YDHoGz+tAlevr5ban5k1pc=; b=U2pHm3JoXEmUwJj+47irg2E5CGsTOGzVtMuxhx3/v4cLglntqldxpGhbDkry+3/2HS cEBLKjE6nl56XWSPPGX5iZL33xGD5ns8S7MOVXFLAAXVQu3UfXpJU2gsrXIA14RED2Qh 0r+/GzRWxZbgmIGaREdV+JQ6/0rf6CkJ2GxPSw5XppYBc/WybKNS6QjHyAwLFSCE1KE7 C+Rk7CD2PQgQO+IQiQU/cdvbL1vJim+xgkGvswCnMMdDpNpy9rSiFvzMINo/rKJxiGsy 2qEYCDpF+C0uvyBplIC9apyEbyAM7C22XioDbbjcTMCIOoJ1LiZ41N7n/2Mzwf1VU+38 gxuw== X-Gm-Message-State: AOAM532bVPkgPu7vOiFA4gGyxZoD8tXXpiS8ZdJyAba6aN6TfhGZcy3u KRPeAuggwX2uuVBVOOOU2suvbg7mUjNCsQ== X-Google-Smtp-Source: ABdhPJxYnj1lUyqvDVcSeJyDPlw0XE5lds8tLWKoHgcrUND6gZ8B05dWWXxmS/Cmqk8wo+slAZUWPA== X-Received: by 2002:a5d:4b8c:: with SMTP id b12mr17577621wrt.31.1634337925230; Fri, 15 Oct 2021 15:45:25 -0700 (PDT) Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id q12sm2269345wrp.13.2021.10.15.15.45.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Oct 2021 15:45:24 -0700 (PDT) Message-ID: Subject: Re: Tricking peer review From: Liliana Marie Prikler To: Ryan Prior Date: Sat, 16 Oct 2021 00:45:23 +0200 In-Reply-To: References: <874k9if7am.fsf@inria.fr> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2a00:1450:4864:20::442; envelope-from=liliana.prikler@gmail.com; helo=mail-wr1-x442.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Ludovic =?ISO-8859-1?Q?Court=E8s?= Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634337950; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=PlKaho7nIcd0JlzG0z1w6YDHoGz+tAlevr5ban5k1pc=; b=HazZ894YWWcV2G+FpFZCcP71HBvWWVxZ+q/DyPA+qpQsEYDrePNesxuRM1wMdHo9aeTfsY CkiJmxvKXfuXWwGAKJetxQhvnj8cLCIGBW/f+Bs/g0aF2Xa+bLw/e0et8ybjQmnchslVQs f3KRiitzJYJPH1/JK3yXqbP0MltXIubdv4CtI0rG57ZFHHNiLOqj38NtcDWliERGEh4vCN k74OBJZTsMlNzUT2oabJ0t/AFPF2a4v7Ay4olfW+9lA6ntbW6Cot1PyRF0W13FyTAF2JHq kopMFnS4cTEBxYL1vG59bIky2FQx2rBDqKLJ+AMSIDQauy5LQrg2e8NoRKRiyw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634337950; a=rsa-sha256; cv=none; b=FeLhfadcZxLhHl8MPbxz64TqG6+rJEj8GLquvrMnjb4zZMvZiqVkh0Q79P7lslIr3Tclwx DnOJdjajAVuYTPLmZujTAJxz8lfK2XAlUz8ci+jB499qIeHjoXpLIBFJE1wxEr+h5PUsUE H2Fxhcs9YUZQH86W+0FQ8XmLceUhgrXbFDa1JxrEu2EeG8A1pY53gl/u4FyNq6Y19xNP+A VkoeZVt/i4oTnC0AyfLBbmzy39tKRUaA2fStHv3Zn4MkbByZ4JvTkjecvnEqLVBmGkrZec KWUQms82/BpYWmPrAne8XDPQnHy/c9PSwk1QZhciqDjBK+q4QL4DlK2tn0d/Rg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Nu5mEoJn; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.72 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Nu5mEoJn; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 434D6ADCA X-Spam-Score: -1.72 X-Migadu-Scanner: scn1.migadu.com X-TUID: QpC1knDqrLDh Am Freitag, den 15.10.2021, 22:28 +0000 schrieb Ryan Prior: > On Friday, October 15th, 2021 at 10:03 PM, Liliana Marie Prikler < > liliana.prikler@gmail.com> wrote: > > > > On the plus side, such an attack would be recorded forever in Git > > > > > > history. > > > > On the minus side, time-machine makes said record a landmine to > > step > > > > into. > > I've suggested this before and this seems like a good time to bring > it up again: can we create a database of known "bad" Guix commit > hashes, and make time-machine fetch the list and warn before it'll > visit one of those hashes? This would resolve the land-mine problem > and generally de-risk our git tree, which is maintained by fallible > volunteers who will occasionally push tragic commits. I don't think things would be quite as simple. A "bad" commit might still be perfectly fine to fetch certain things from if they're unaffected by it, plus you're now tasked with the job of keeping the list of bad commits safe somehow. In some situations resetting a branch might work, but obviously not for months old sleeper commits.