Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XLCOH-0004GJ-0w for bitcoin-development@lists.sourceforge.net; Sat, 23 Aug 2014 14:34:01 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.149.113 as permitted sender) client-ip=62.13.149.113; envelope-from=pete@petertodd.org; helo=outmail149113.authsmtp.com; Received: from outmail149113.authsmtp.com ([62.13.149.113]) by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1XLCO1-0005Fy-Nx for bitcoin-development@lists.sourceforge.net; Sat, 23 Aug 2014 14:34:00 +0000 Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237]) by punt15.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s7NEWbsX030153; Sat, 23 Aug 2014 15:32:37 +0100 (BST) Received: from savin.petertodd.org (75-119-251-161.dsl.teksavvy.com [75.119.251.161]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s7NEWQiR040942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 23 Aug 2014 15:32:28 +0100 (BST) Date: Sat, 23 Aug 2014 10:32:15 -0400 From: Peter Todd To: Troy Benjegerdes Message-ID: <20140823143215.GA18452@savin.petertodd.org> References: <2302927.fMx0I5lQth@1337h4x0r> <20140823061701.GQ22640@nl.grid.coop> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline In-Reply-To: <20140823061701.GQ22640@nl.grid.coop> User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 4f61877b-2ad2-11e4-9f74-002590a135d3 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aQdMdAEUGUATAgsB AmIbWlFeU197W2o7 bA9PbARUfEhLXhtr VklWR1pVCwQmQht/ c3l/C3tycwVPfHw+ ZEBmX3IVWBJ8dE56 RRxJFzxSZ3phaTUb TUkOcAdJcANIexZF O1F8UScOLwdSbGoL NQ4vNDcwO3BTJTpY RgYVKF8UXXNDJDM3 QBYZHDkiB0wDSG08 LgAmN1R0 X-Authentic-SMTP: 61633532353630.1024:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 75.119.251.161/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1XLCO1-0005Fy-Nx Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Reconsidering github X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2014 14:34:01 -0000 --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 23, 2014 at 01:17:01AM -0500, Troy Benjegerdes wrote: > This is why I clone git to mercurial, which is generally designed around = the > assumption that history is immutable. You can't rewrite blockchain histor= y, > and we should not be re-writing (rebasing) commit history either. Git commits serve two purposes: recording public history and communication. While for the purpose of recording history immutable commits make sense, for the purpose of communicating to other developers what changes should be added to that history you *do* want the mutable commits that git's rebase functionality supports. Much like how university math classes essentially never teach calculus in the order it was developed, it is rare indeed for the way you happened to develop some functionality to be the best sequence of changes for other developers to understand why and what is being changed. Anyway, just because mercurial is designed around the assumption that commit history is immutable doesn't mean it actually is; an attacker can fake a series of mercurial commits just as easily as they can git commits. The only thing that protects against history rewriting is signed commits and timestamps. > The problem with github is it's too tempting to look at the *web page*, w= hich=20 > is NOT pgp-signed, and hit the 'approve' button when you might have someo= ne > in the middle approving an unsigned changeset because you're in a hurry to > get the latest new critical OpenSSL 0day security patch build released. >=20 > We need multiple redundant 'master' repositories run by different people = in > different jurisdictions that get updated on different schedules, and have= all > of these people pay attention to operational security, and not just outso= urce > it all to github because it's convenient. The easiest and most useful way to achieve that would be to have a formal program of code review, perhaps on a per-release basis, that reviewed the diffs between the previous release and the new one. Master repos in this scenario are simply copies of the "master master" repo that someone has manually verified and signed-off on, with of course a PGP signature. If you feel like volunteering to maintain one of these repos, you may find my Litecoin v0.8.3.7 audit report to be a useful template: https://bitcointalk.org/index.php?topic=3D265582.0 --=20 'peter'[:-1]@petertodd.org 0000000000000000284b07a00c97e4770dda4dee8b45994440226435ee05ab66 --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQGrBAEBCACVBQJT+KXpXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw MDAwMDAwMDAwMDAwMDAyODRiMDdhMDBjOTdlNDc3MGRkYTRkZWU4YjQ1OTk0NDQw MjI2NDM1ZWUwNWFiNjYvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0 ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfs5HQf/USD5IrkYNK+ObJO74aHXxW0e SHOksPZbE4GIGMjXG+qAshGJt7dPuopbeO1TdVmmY/frq8rdW3fgtMzbEv0y7ESi eCDpwook0YQC8Z7aBKwQFzYelWOyprvIHyGtR058TyxsqBOCHvqn5TI3zxAl8g8N 11VWmLZ5xfQULFvtDFk8mX3TXSkg8Ke5ZQBdrQuTFIne0UjfAuELddqBXMZyPOow QdsXzmY0+RpqV8vgoU8RddYvqlx/8qGLdi+tdj+TuRVPGN041suHhFHU5ysLL2ow CHE573o+w+MLMFhd9FOR2L0ENOArppk5hXzSofW6o0xuGNJCC3QXof6Z9mkr6g== =8oGm -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6--