|
|
|
|
|
|
by _jomo
2777 days ago
|
|
|
Interesting, but the commit that introduced the malicious changes wouldn't be signed by the alleged author's key. Also I'd trust anyone who denies adding a backdoor like this. Why would anyone do this with their name attached to the change? What you'd actually do is change the author to "Anonymous Coward <nobody@android.com>" ;) https://android.googlesource.com/platform/packages/apps/Glob... |
|
|
The article is arguing that only signing tags is insufficient, and that you should sign every commit individually to prevent this scenario.