Is git clone followed by git verify-tag meaningful?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Is git clone followed by git verify-tag meaningful?
- From: Konstantin Ryabitsev <konstantin@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 28 Aug 2019 16:32:24 -0400
- Mail-followup-to: git@xxxxxxxxxxxxxxx
- User-agent: Mutt/1.12.1 (2019-06-15)
Hi, all:
If I know that a project uses tag signing, would "git clone" followed by
"git verify-tag" be meaningful without a "git fsck" in-between? I.e. if
an attacker has control over the remote server, can they sneak in any
badness into any of the resulting files and still have the clone,
checkout, and verify-tag return success unless the repository is fsck'd
before verify-tag?
I assume that it would break during the checkout stage, but I wanted to
verify my assumptions.
Thanks,
-K
[Index of Archives]
[Linux Kernel Development]
[Gcc Help]
[IETF Annouce]
[DCCP]
[Netdev]
[Networking]
[Security]
[V4L]
[Bugtraq]
[Yosemite]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Linux SCSI]
[Fedora Users]
