On 2015-12-03 at 10:12:13 +0530, Sunil Mohan Adapa wrote: > This is not too different from our relaxed policy of allowing many > developers to write to the repository (especially on Alioth). Any of > their machines or SSH keys could get compromised and lead to malicious > commits to the repository, but that will be easily identified and fixed. > We can treat Weblate as one of our developers.
Can they? It is easy to verify that old commits haven't been rewritten, but adding a new, harmless looking, commit in the name of some existing dev isn't that hard, and probably likely to pass unnoticed. http://mikegerwitz.com/papers/git-horror-story.html -- Elena ``of Valhalla'' _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
