John Tapsell wrote: > I'm concerned that noone is taking this security risk seriously. If anyone relies on "git log -p" or "git log -p --cc" output to make sure that the untrusted code they use doesn't introduce unwanted behavior, they are making a serious mistake. A merge can completely undo important changes made in a side branch and "-c" and "--cc" will not show it. The lack of "-c" cannot be a security issue here, because in normal life adding "-c" isn't a secure deployment strategy. That's why if you want to review the code you are pulling in as a whole, it is worthwhile to do git diff HEAD...FETCH_HEAD That is how you ask "What code changes does FETCH_HEAD introduce?" before putting your stamp of approval on them by merging and pushing out the result. Unfortunately that doesn't protect you from maliciously written commits that will be encountered when bisecting. At some point you have to be able to trust people. Hope that helps, Jonathan -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html