Hacker News new | ask | show | jobs
by bArray 2070 days ago
How do you verify this isn't malicious? Who is running this repo?
1 comments
mschuster91 2070 days ago
Compare the sha commit hashes of the top commit against the hashes from the old "true" repo. If they match the repo (and the history) has not been changed. Subsequent commits can be manually audited.
link
bArray 2068 days ago
> Compare the sha commit hashes of the top commit against

> the hashes from the old "true" repo.

Isn't it just SHA1? I think it's generally accepted it's not secure...

Also it would be quite easy to build a clone repo that looks the part with all the correct hashes, the git "database" structure is quite simple.

link