On Thu, Apr 11, 2013 at 6:36 PM, John Tapsell <johnflux@xxxxxxxxx> wrote: > I noticed that code that you put in merge will not be visible by > default. This seems like a pretty horrible security problem, no? > > I made the following test tree, with just 3 commits: > > https://github.com/johnflux/ExampleEvilness.git > > Doing "git log -p" shows all very innocent commits. Completely > hidden is the change to add "EVIL CODE MUWHAHAHA". > > This seems really dangerous! > > The evil code only shows up with the non-default --cc or -m option. For email-based patch workflows (eg. git, linux kernel), then this is not a problem - the diff doesn't even show up, so nothing is applied when git-am is run. For github with pull-requests, a diff is shown between trees, so this will show up. -- Cheers, Ray Chuan -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html