[jmclnx]

Well the "good" new is, OpenBSD and NetBSD still uses CVS, even for packages. So this will not work on those systems. I do not know about FreeBSD. Security by obscurity :)

But I have been seeing docs indication those projects are looking to go to git, will see if it really happens. In OpenBSD's case seems it will be based upon got(1).

[seanhunter]

Just to make it clear, what you say is correct, but this is not a git vulnerability, it's a github actions vulnerability. That is, the BSDs are secured by CVS only because github doesn't do CVS. If you use git and even github but don't do CI/CD using github actions you are not affected by this.

[graemep]

This is not a git issue, it is a github issue, and as far as I can see specific to github actions.

[Mic92]

Don't they use email to accept contributions? Seems like security nightmare w.r.t to impersonation.

[udev4096]

How? It's signed with their keys. Linux kernel also uses mail lists and I have yet to see someone trying to impersonate someone

[Mic92]

I haven't seen anything about requirements for gpg. Also the ux of it is not so great, so it's easy to just not have a signature without causing too much suspicion. Would be a much easier attack than what Jian Tan pulled off. Just wait for some contributor to go on holiday and send a malicious v2 patch. There are so many patches in the linux kernel processed that no one wouldn't notice.

[edoceo]

Aren't messages and/or patches signed?

[Mic92]

I can't see any of that. They even tell you to not have any gnupg signatures: https://www.openbsd.org/mail.html