On 12/03/2015 06:05 PM, Elena ``of Valhalla'' Grandi wrote: > On 2015-12-03 at 10:12:13 +0530, Sunil Mohan Adapa wrote: >> This is not too different from our relaxed policy of allowing many >> developers to write to the repository (especially on Alioth). Any of >> their machines or SSH keys could get compromised and lead to malicious >> commits to the repository, but that will be easily identified and fixed. >> We can treat Weblate as one of our developers. > > Can they? > > It is easy to verify that old commits haven't been rewritten, but adding > a new, harmless looking, commit in the name of some existing dev isn't > that hard, and probably likely to pass unnoticed. > > http://mikegerwitz.com/papers/git-horror-story.html >
Thank you for sharing. I have not read fully yet, but signed commits and automatic verification are something have to do in FreedomBox (I hope soon). -- Sunil
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
