[Freedombox-discuss] FreedomBox UI in your language
On 12/03/2015 06:05 PM, Elena ``of Valhalla'' Grandi wrote:
> On 2015-12-03 at 10:12:13 +0530, Sunil Mohan Adapa wrote:
>> This is not too different from our relaxed policy of allowing many
>> developers to write to the repository (especially on Alioth). Any of
>> their machines or SSH keys could get compromised and lead to malicious
>> commits to the repository, but that will be easily identified and fixed.
>> We can treat Weblate as one of our developers.
>
> Can they?
>
> It is easy to verify that old commits haven't been rewritten, but adding
> a new, harmless looking, commit in the name of some existing dev isn't
> that hard, and probably likely to pass unnoticed.
>
> http://mikegerwitz.com/papers/git-horror-story.html
>
Thank you for sharing. I have not read fully yet, but signed commits
and automatic verification are something have to do in FreedomBox (I
hope soon).
--
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151203/39f9e7d2/attachment.sig>
Reply to: