id like to point out that while you can't modify tagged+gpg signed tag commits, you can modify non signed commits (aka any commit that isnt a tag) and it'll get signed when it gets tagged.
that's also assuming that tags are gpg signed, which they often are not,even on kernel.org
non signed can be actually tampered with and they do need to check the code thoroughly with 3rd party older archives which is a PITA.
Code signing > x, including per commit signing mr Linus T and GIT maintainers.
Note that they were against per commit signing because "when you sign the tag, you sign everything so its ok".
Except you wont read all the patches you sign when you sign the tag, and if any has been modified, as explained, you don't know. Again, per commit signing solves it.
It's not a question about whether you read them; code review isn't the mechanism. The modified commits will have different hashes and thus cause merge failures for anyone that already has them in a local repo. At the very least, that's going to include Linus and everyone downstream as far as the original author. None of these people need to do anything to notice the tampering beyond trying to merge from mainline.
That may not be perfect, but it sounds pretty robust to me.
it does not matter, you can add a new commit (or modify an old one anyway since it'll work fine - but lets say you notice it, so we add a commit)
you make the commit look legit and all, its going to be pretty difficult to say where its coming from and which has been tampered with, since, of course, linus himself will have it when he pulls it.
and that's not just linux.git, but also the ton of other .git's in there, which linus will pull from and will not read every line of.
The caveat here is as real as it can get. usually when it looks "slightly complex" people overlook the security aspect "no one is going to do such an attack"
then the attack happens, often unnoticed, because the attackers aren't lazy if there's a hole they use it.
Somebody might not notice a malicious commit when they pull the tree, but the maintainer will definitely notice the next time he pushes to that tree. Having a push rejected because it's not a fast-forward gets your attention every time.
But what value does adding an arbitrary unconnected commit have to an attacker? The only sane goal would be sneaking exploit code into a "released" version that will be shipped.
In order to do that, you need to somehow get Linus to merge it successfully. And that doesn't work per git's design.
If all you want is to have "exploitable" commit IDs in the kernel git, you don't need to do anything sneaky at all! They're already there, being historical bugs that have since been fixed.
But that's just HEAD. No offense, but so what? Clearly anyone (sane) running off of a development branch isn't doing so on a security sensitive system. It's an exploit, but only of development systems and a tiny handful of hacker's personal boxes. The value there to an attacker is very low.
What you can't do is inject code that ends up in 3.1-rc5, because before that gets tagged Linus (and a lot of other people) would have to do a merge that would fail inexplicably.
But to be clear: yes, with access to the repository you can (for a brief moment until it's noticed) inject exploit code that will be picked up by anyone building and running an untagged branch HEAD.
Ubuntu does daily kernel builds and many people run that kernel - to see if some bug has been fixed, to get support for their newer hardware etc. Lots of reasons perfectly sane people can end up testing a daily build.
Linus and co. do read every patch. Either Linus or somebody Linus trusts absolutely, has read each patch going into the kernel. Also, release tags are signed, for every single kernel release.
The way git works is that every new commit depends on every commit before it. Since no code is brought into the trees without checking the commit IDs, there's no way that any non-tagged commit could be modified without somebody noticing.
I understand that you don't like git, but you might want to read up on how the kernel is developed before making spurious claims.
that's also assuming that tags are gpg signed, which they often are not,even on kernel.org
non signed can be actually tampered with and they do need to check the code thoroughly with 3rd party older archives which is a PITA.
Code signing > x, including per commit signing mr Linus T and GIT maintainers.
Note that they were against per commit signing because "when you sign the tag, you sign everything so its ok".
Except you wont read all the patches you sign when you sign the tag, and if any has been modified, as explained, you don't know. Again, per commit signing solves it.
Food for though I guess.