| |||||||||||||
Not a big dealNot a big dealPosted Mar 7, 2012 20:34 UTC (Wed) by dlang (✭ supporter ✭, #313)In reply to: Not a big deal by Tobu Parent article: Github compromised
it would be noticed, because the next time that the developer attempted to update the repository, he would get an error message saying that the repository wasn't what was expected.
Since that error doesn't happen under normal conditions, it takes more than just being busy to hide this.
(Log in to post comments)
Not a big deal Posted Mar 7, 2012 22:25 UTC (Wed) by Tobu (subscriber, #24111) [Link] On a single-developer repo maybe, but on a collaborative project I pull/rebase things without paying much attention.
Not a big deal Posted Mar 7, 2012 22:32 UTC (Wed) by Tobu (subscriber, #24111) [Link] And by collaborative I mean the centralised workflow where multiple people have commit rights and are actively using them. A semi-centralised workflow where multiple people are doing merges is also vulnerable.
Not a big deal Posted Mar 8, 2012 9:45 UTC (Thu) by job (guest, #670) [Link]
You seem to think the only way to compromise hosted git trees is by manipulating the git tree from the file system. But what he would likely do is add himself to the Rails committers and do a legitimate commit. He needn't do it under his own name of course.
So, yes, this is a big deal. And it might not be such a good idea to trust a large unwieldy web application with your access keys. It might also not be such a good idea to write large web frameworks which by default gives anyone write access to your database fields unless explicitly told otherwise.
Not a big deal Posted Mar 9, 2012 18:55 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
unless you have multiple people pushing updates without much coordination with each other, it doesn't matter how the changes happen to the repo, the maintainer of that repo will be notified that it's not in the expected state the next time he tries to do a push to that repo.
|
|||||||||||||