On Sat, Aug 23, 2014 at 01:17:01AM -0500, Troy Benjegerdes wrote:
> This is why I clone git to mercurial, which is generally designed around the
> assumption that history is immutable. You can't rewrite blockchain history,
> and we should not be re-writing (rebasing) commit history either.

Git commits serve two purposes: recording public history and
communication.  While for the purpose of recording history immutable
commits make sense, for the purpose of communicating to other developers
what changes should be added to that history you *do* want the mutable
commits that git's rebase functionality supports. Much like how
university math classes essentially never teach calculus in the order it
was developed, it is rare indeed for the way you happened to develop
some functionality to be the best sequence of changes for other
developers to understand why and what is being changed.

Anyway, just because mercurial is designed around the assumption that
commit history is immutable doesn't mean it actually is; an attacker can
fake a series of mercurial commits just as easily as they can git
commits. The only thing that protects against history rewriting is
signed commits and timestamps.


> The problem with github is it's too tempting to look at the *web page*, which 
> is NOT pgp-signed, and hit the 'approve' button when you might have someone
> in the middle approving an unsigned changeset because you're in a hurry to
> get the latest new critical OpenSSL 0day security patch build released.
> 
> We need multiple redundant 'master' repositories run by different people in
> different jurisdictions that get updated on different schedules, and have all
> of these people pay attention to operational security, and not just outsource
> it all to github because it's convenient.

The easiest and most useful way to achieve that would be to have a
formal program of code review, perhaps on a per-release basis, that
reviewed the diffs between the previous release and the new one. Master
repos in this scenario are simply copies of the "master master" repo
that someone has manually verified and signed-off on, with of course a
PGP signature.

If you feel like volunteering to maintain one of these repos, you may
find my Litecoin v0.8.3.7 audit report to be a useful template:

https://bitcointalk.org/index.php?topic=265582.0

-- 
'peter'[:-1]@petertodd.org
0000000000000000284b07a00c97e4770dda4dee8b45994440226435ee05ab66