[Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security

Jiri Kosina jkosina at suse.com
Mon Jul 13 08:32:06 UTC 2015


On Sat, 11 Jul 2015, James Bottomley wrote:

> >   - personal security (keep commit credentials secure from theft)
> 
> This second one is a bit of a red herring:  Assuming you did steal my
> credentials, how would you use them without being detected?

If the credentials can be used both to push to ra.kernel.org and to access 
your "local" copy of the GIT repo (on your notebook / desktop / storage), 
I can just push the malicious commit (*) to both repos and you might not 
notice immediately (because you wouldn't get non-fast-forward hint from 
git).

(*) or just ammend some already existing one so that you wouldn't
    notice extra commit when preparing pull request

-- 
Jiri Kosina
SUSE Labs


More information about the Ksummit-discuss mailing list