17:45:26 -xmr-pr- xiphon opened pull request #2963: cmake: fix x11 linking
17:45:27 -xmr-pr- > https://github.com/monero-project/monero-gui/pull/2963
18:49:14 <selsta> .merge+ 2963
18:49:18 <selsta> .merge+ #2963
18:49:19 <xmr-pr> Added
18:49:22 <selsta> .merges
18:49:22 -xmr-pr- #2933 #2937 #2947 #2950 #2959 #2961 #2962 #2963
21:11:26 <kinghat[m]> is there such a thing as immutable git? no "force push and backdating PRs/commits"?
21:14:23 <moneromooo> Assuming SHA1 can not be pwned (or you use a post-SHA1 git repo), then you can't alter history without the commit hashes changing.
21:14:50 <moneromooo> Assuming SHA1 can not be pwned is not quite sane at this moment.
21:16:58 <sarang> kinghat[m]: what do you mean by "immutable"?
21:17:17 <sarang> a force-push is a new branch of the commit graph
21:17:22 <moneromooo> That which can be immuted. Obviously.
21:17:24 <sarang> there's no way to prevent this, but it's detectable
21:17:33 <sarang> (assuming no hash collisions...)
21:18:02 <sarang> a repo host (like github) could always prevent this by its own policy
21:18:42 <sarang> So I suppose it's "sort of" preventable =p
21:18:59 <sarang> It's preventable by a repo host, but not inherently by the way git operates, is what I mean
21:20:12 <kinghat[m]> we were talking about the hash checking on the gui updater in here on the 11th
21:20:38 <kinghat[m]> fluffy was saying its not hard to change git history.
21:21:07 <sarang> It's hard to change it without affecting the hash
21:21:36 <sarang> It's very hard to change it if the commits are signed
21:21:45 <sarang> What are you looking to do?
21:22:59 <kinghat[m]> i was just wondering if it would be better to check the hash from two locations instead of a single source.
21:23:37 <kinghat[m]> but selsta already mention that it was probably overkill the way it is and would be giving gh data about users checking the hash iirc
21:23:41 <sarang> The hash of what?
21:24:03 <kinghat[m]> the binary iirc
21:24:12 <sarang> That has nothing to do with git
21:26:13 * kinghat[m] sent a long message:  < https://matrix.org/_matrix/media/r0/download/matrix.org/KGWUGwajDlTCGEcEJcYJNOjQ >
21:26:53 <kinghat[m]> i then asked if there would be a public trace of the compromise. and thats where the backdating of a pr/commit came into context.
21:26:59 <sarang> Compromise of what?
21:27:05 <sarang> The binary or the git repo?
21:27:08 <sarang> Or both?
21:27:13 <kinghat[m]> a dev
21:27:29 <sarang> Well, you're checking for two sigs from maintainers already, right?
21:27:40 <kinghat[m]> dev > repo > binary
21:27:41 <selsta> That does not make sense because if you have server access you can change a file, there would be no trace on github.
21:28:16 <selsta> If you mean the auto updater specifically, you would see which maintainer signed the bad hashes.
21:30:10 <kinghat[m]> ya but you would have to compromise the monero server and github
21:31:52 <selsta> If someone compromises 3 DNS servers, the website and two maintainer signatures then there is no reason to believe that they couldn’t get into the Github of a maintainer.
21:36:37 <kinghat[m]> true
21:36:48 <selsta> I consider GPG sig compromised = fully compromised
21:36:54 <kinghat[m]> something something repo builds 😂
21:37:58 <selsta> soon^tm :D