On Thu, Mar 4, 2010 at 3:09 PM, walt <w41ter@xxxxxxxxx> wrote: > I can't tell from the article if Perforce is any worse than any other scm > for security holes, in fact it seems to imply that others haven't been tested in > the same way. > > Just curious if anyone here has any thoughts about how the article may or > may not have any relevance for git (git being the scm I use most, by far, which > is the reason I'm interested). The attack was uninteresting. The paper seems to go on and on about different ways that an attacker can steal source code by accessing a poorly-secured SCM server. This discussion is kind of moot for git, where every single developer workstation has a complete copy of the entire project history anyway. An attack in which someone untraceably modified the repo to contain modified code would be a little more interesting. git makes this sort of thing pretty much impossible to do without it being *noticeable* at least. Traceable, not so much, because you can create a commit with whatever committer/author names you want and then push them in. Commits aren't GPG-signed, only tags are, so there are lots of ways to forge a commit from someone else and mess up the audit log. At least you can't edit old commits without people noticing, though. Have fun, Avery -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html