On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres <santiago@xxxxxxx> wrote: > > share things before they are published. Thankfully, this is OK in >> > USENIX's book. Here's the link: >> > http://i2.cdn.turner.com/cnnnext/dam/assets/160730192650-14new-week-in-politics-super-169.jpg >> >> While I had a good laugh, I am wondering whether this is the correct link? > > Oh my god, sorry, I meant to p, not to ctrl + v. My head is all over the > place as of late. > > Here's the correct link: > > http://isis.poly.edu/~jcappos/papers/torres_toto_usenixsec-2016.pdf In 4.1 you write: > Finally, Git submodules are also vulnerable, as they automatically track > a tag (or branch). If a build dependency is included in a project as a part > of the submodule, a package might be vulnerable via an underlying library. Submodules actually track commits, not tags or branches. This is confusing for some users, e.g. the user intended to track a library at version 1.1, but it tracks 1234abcd instead (which is what 1.1 points at). Thanks, Stefan > > Thanks! > -Santiago. > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
