Re: Question about scm security holes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5 March 2010 03:19, Avery Pennarun <apenwarr@xxxxxxxxx> wrote:
> On Thu, Mar 4, 2010 at 10:00 PM, John Tapsell <johnflux@xxxxxxxxx> wrote:
>> On 5 March 2010 02:03, Avery Pennarun <apenwarr@xxxxxxxxx> wrote:
>>> modified code would be a little more interesting.  git makes this sort
>>> of thing pretty much impossible to do without it being *noticeable* at
>>> least.  Traceable, not so much, because you can create a commit with
>>> whatever committer/author names you want and then push them in.
>>
>> Which is why you simply record the username of whoever pushed them in.
>>  This is what gitorious.org does etc.
>
> Not bad, but it's still very hard to trace properly.  Imagine I pull
> from a peer, then push my combined branch into the central repo.
> It'll say I'm pushing in patches from me *and* my friend.  Did I forge
> them or are they real?

While true, it's still traceable back to you.  You did the push, so
you are responsible for that code.  It wouldn't be any different to
just pushing a bad commit yourself.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]