On Wed, Aug 03, 2016 at 10:14:21AM -0700, Stefan Beller wrote: > On Wed, Aug 3, 2016 at 8:25 AM, Santiago Torres <santiago@xxxxxxx> wrote: > > > share things before they are published. Thankfully, this is OK in > >> > USENIX's book. Here's the link: > >> > http://i2.cdn.turner.com/cnnnext/dam/assets/160730192650-14new-week-in-politics-super-169.jpg > >> > >> While I had a good laugh, I am wondering whether this is the correct link? > > > > Oh my god, sorry, I meant to p, not to ctrl + v. My head is all over the > > place as of late. > > > > Here's the correct link: > > > > http://isis.poly.edu/~jcappos/papers/torres_toto_usenixsec-2016.pdf > > In 4.1 you write: > > Finally, Git submodules are also vulnerable, as they automatically track > > a tag (or branch). If a build dependency is included in a project as a part > > of the submodule, a package might be vulnerable via an underlying library. > > Submodules actually track commits, not tags or branches. > > This is confusing for some users, e.g. the user intended to track > a library at version 1.1, but it tracks 1234abcd instead (which is what > 1.1 points at). I'm assuming that git submodule update does update where the ref points to, does it not? let me dig into this and try to take the necessary measures to correct this Thanks for the feedback! -Santiago. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
