Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <pete@petertodd.org>) id 1XLCOH-0004GJ-0w
	for bitcoin-development@lists.sourceforge.net;
	Sat, 23 Aug 2014 14:34:01 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of petertodd.org
	designates 62.13.149.113 as permitted sender)
	client-ip=62.13.149.113; envelope-from=pete@petertodd.org;
	helo=outmail149113.authsmtp.com; 
Received: from outmail149113.authsmtp.com ([62.13.149.113])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
	id 1XLCO1-0005Fy-Nx for bitcoin-development@lists.sourceforge.net;
	Sat, 23 Aug 2014 14:34:00 +0000
Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237])
	by punt15.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s7NEWbsX030153;
	Sat, 23 Aug 2014 15:32:37 +0100 (BST)
Received: from savin.petertodd.org (75-119-251-161.dsl.teksavvy.com
	[75.119.251.161]) (authenticated bits=128)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s7NEWQiR040942
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
	Sat, 23 Aug 2014 15:32:28 +0100 (BST)
Date: Sat, 23 Aug 2014 10:32:15 -0400
From: Peter Todd <pete@petertodd.org>
To: Troy Benjegerdes <hozer@hozed.org>
Message-ID: <20140823143215.GA18452@savin.petertodd.org>
References: <CAJHLa0NXAYh9HzazN6gArUV8y7J8_G0oqkZqPBgibpW0wRNxKQ@mail.gmail.com>
	<2302927.fMx0I5lQth@1337h4x0r>
	<20140823061701.GQ22640@nl.grid.coop>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6"
Content-Disposition: inline
In-Reply-To: <20140823061701.GQ22640@nl.grid.coop>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: 4f61877b-2ad2-11e4-9f74-002590a135d3
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	aQdMdAEUGUATAgsB AmIbWlFeU197W2o7 bA9PbARUfEhLXhtr
	VklWR1pVCwQmQht/ c3l/C3tycwVPfHw+ ZEBmX3IVWBJ8dE56
	RRxJFzxSZ3phaTUb TUkOcAdJcANIexZF O1F8UScOLwdSbGoL
	NQ4vNDcwO3BTJTpY RgYVKF8UXXNDJDM3 QBYZHDkiB0wDSG08 LgAmN1R0
X-Authentic-SMTP: 61633532353630.1024:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 75.119.251.161/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 TIME_LIMIT_EXCEEDED    Exceeded time limit / deadline
X-Headers-End: 1XLCO1-0005Fy-Nx
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Reconsidering github
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 23 Aug 2014 14:34:01 -0000


--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 23, 2014 at 01:17:01AM -0500, Troy Benjegerdes wrote:
> This is why I clone git to mercurial, which is generally designed around =
the
> assumption that history is immutable. You can't rewrite blockchain histor=
y,
> and we should not be re-writing (rebasing) commit history either.

Git commits serve two purposes: recording public history and
communication.  While for the purpose of recording history immutable
commits make sense, for the purpose of communicating to other developers
what changes should be added to that history you *do* want the mutable
commits that git's rebase functionality supports. Much like how
university math classes essentially never teach calculus in the order it
was developed, it is rare indeed for the way you happened to develop
some functionality to be the best sequence of changes for other
developers to understand why and what is being changed.

Anyway, just because mercurial is designed around the assumption that
commit history is immutable doesn't mean it actually is; an attacker can
fake a series of mercurial commits just as easily as they can git
commits. The only thing that protects against history rewriting is
signed commits and timestamps.


> The problem with github is it's too tempting to look at the *web page*, w=
hich=20
> is NOT pgp-signed, and hit the 'approve' button when you might have someo=
ne
> in the middle approving an unsigned changeset because you're in a hurry to
> get the latest new critical OpenSSL 0day security patch build released.
>=20
> We need multiple redundant 'master' repositories run by different people =
in
> different jurisdictions that get updated on different schedules, and have=
 all
> of these people pay attention to operational security, and not just outso=
urce
> it all to github because it's convenient.

The easiest and most useful way to achieve that would be to have a
formal program of code review, perhaps on a per-release basis, that
reviewed the diffs between the previous release and the new one. Master
repos in this scenario are simply copies of the "master master" repo
that someone has manually verified and signed-off on, with of course a
PGP signature.

If you feel like volunteering to maintain one of these repos, you may
find my Litecoin v0.8.3.7 audit report to be a useful template:

https://bitcointalk.org/index.php?topic=3D265582.0

--=20
'peter'[:-1]@petertodd.org
0000000000000000284b07a00c97e4770dda4dee8b45994440226435ee05ab66

--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQGrBAEBCACVBQJT+KXpXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwMDAwMDAwMDAyODRiMDdhMDBjOTdlNDc3MGRkYTRkZWU4YjQ1OTk0NDQw
MjI2NDM1ZWUwNWFiNjYvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfs5HQf/USD5IrkYNK+ObJO74aHXxW0e
SHOksPZbE4GIGMjXG+qAshGJt7dPuopbeO1TdVmmY/frq8rdW3fgtMzbEv0y7ESi
eCDpwook0YQC8Z7aBKwQFzYelWOyprvIHyGtR058TyxsqBOCHvqn5TI3zxAl8g8N
11VWmLZ5xfQULFvtDFk8mX3TXSkg8Ke5ZQBdrQuTFIne0UjfAuELddqBXMZyPOow
QdsXzmY0+RpqV8vgoU8RddYvqlx/8qGLdi+tdj+TuRVPGN041suHhFHU5ysLL2ow
CHE573o+w+MLMFhd9FOR2L0ENOArppk5hXzSofW6o0xuGNJCC3QXof6Z9mkr6g==
=8oGm
-----END PGP SIGNATURE-----

--y0ulUmNC+osPPQO6--