[Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security
Jiri Kosina
jkosina at suse.com
Mon Jul 13 08:32:06 UTC 2015
On Sat, 11 Jul 2015, James Bottomley wrote:
> > - personal security (keep commit credentials secure from theft)
>
> This second one is a bit of a red herring: Assuming you did steal my
> credentials, how would you use them without being detected?
If the credentials can be used both to push to ra.kernel.org and to access
your "local" copy of the GIT repo (on your notebook / desktop / storage),
I can just push the malicious commit (*) to both repos and you might not
notice immediately (because you wouldn't get non-fast-forward hint from
git).
(*) or just ammend some already existing one so that you wouldn't
notice extra commit when preparing pull request
--
Jiri Kosina
SUSE Labs
More information about the Ksummit-discuss
mailing list