On Fri, Jan 29, 2016 at 06:40:57PM -0500, Daniel Kahn Gillmor wrote: > Package: git > Tags: security > > Currently by default, git does not verify the integrity of objects it > requests by digest over the network. > > This suggests that momentary control over a malicious repository or (for > unencrypted transports) momentary control over the network is sufficient > to produce a modified working copy with at worst a non-fatal warning. > > I think these failures can be avoided by setting the following config > options to "true" by default: > > transfer.fsckobjects > fetch.fsckobjects > receive.fsckobjects > > Many users of git rely on commit IDs for integrity proof that they're > working from the same point in the repository held by other developers > (i've certainly told people that they can do this) without knowing that > one pull from a malicious repo could tamper with the contents of a > freshly-received object without noticing. > > git should default to safe usage, and people with an argument for unsafe > usage should change their own defaults manually.
Git is, in fact, safe by default. See https://news.ycombinator.com/item?id=11032094 Mike

