It could be for non-public information, could it not? Private repositories are one obvious, but hidden email addresses and IPs could easily be targets. And maybe they want the public information but in an easy-to-manage format. When you've got the tools, it's probably easier to say "Give us every commit log entry for these ten users" rather than go search for it yourself.
> And maybe they want the public information but in an easy-to-manage format
Would there be any legal requirement to satisfy such a request? Why should a business expend resources to do something the police could do on their own?
Various freedom of information laws acknowledge the importance of information being provided to the requester in a machine readable format, when that information originates from such a system. I'm not arguing that this applies to police asking a private entity for information, just that the courts/regulators are not ignorant about the difference between machine-readable data and "oh just do a search and copy-paste it from the website".
If you ever click "merge pull request", github makes the merge commit for you. That means they get to decide the SHA and the full contents of the commit. I'll leave the potential consequences as an exercise to the reader.
I guess the only protection against this would be to either never press the merge button in github, or repeat the merge locally and check there is no diff against the remote merge.
By breaking SHA1 you could covertly edit older commits, but existing contributors would still have the original version. As soon as somebody edits code at the intrusion it would be discovered because it would merge cleanly locally but cause a merge conflict on github.
Of course on big projects a lot of the code isn't touched in years but we're talking about revealing that somebody broke SHA1. It sounds very risky given the stakes.
> Or is it to be able to "subtly add code" to existing repositories without being seen ?
I don't think it's this---I understand it to be basically impossible to mess with git repository histories without people noticing. I guess they might try to sneak it in as a new commit, but hopefully others on the project are inspecting things???
Git commits are hashes of the patches, right? So, while it would be difficult to change the blockchain of bitcoin because its widely distributed and computationally expensive, it wouldn't be too hard to do it to git.
Process would be something like:
-- Take the original chain.
-- Identify a patch in the past where you want to insert the code
-- Check out back to that patch
-- Make the change
-- Roll forward with all the following patches re-applied (with new hashes of course)
-- Replace the repo with the new repo.
The end result is that hashes would change. So if you were talking to people about a particular patch using its hash, or telling people a particular release is set at a particular hash, you would notice when this changes. So it wouldn't be invisible using this method.
An alternative approach might be to generate a series of innocuous code changes that will produce the end result of restoring the hashes of the latest commit to what they should have been before the change. This might be extremely difficult or computationally intensive, unless the hash algo is weak.
But it seems theoretically possible, unless I'm missing something about how git works.
That's what `git rebase --interactive` does (which has been described as being “a bit like git commit --amend hopped up on acid and holding a chainsaw–completely insane and quite dangerous but capable of exposing entirely new states of mind”[0])
The scenario described happens frequently when people `git push -f` a rebased tree, and it certainly does not go unnoticed by other developers on the project — more “havoc” than “subtle”.
> Or is it to be able to "subtly add code" to existing repositories without being seen ?
Come on now, this is not productive to speculate on. This is "the CIA is controlling the population by putting chemicals in your water supply!" level stuff.
So, according to you, they (agencies from US, China, Russia, etc) never cross lines that you and me would never cross? They never tried to broke security, sabotage, ..., or hack someone?
I'm not talking about moon or UFO's conspiracies. I'm talking about things that, according to leaks and official documents, they already did in the past and keep doing today.
This is something else. Basic rationality demands that we not treat something as truth until we have evidence of it.
The existence of bad actors does not mean an abandonment of critical thinking! Critical thinking in this case tells us that compromising a git repo is a horrible idea, mostly because even if you broke SHA and even if you managed to slip the code in undetected, the jig is up the moment somebody makes a conflicting change in that file, wonders what's going on, and then discovers that the server copy does not jibe with the local copy.
But we can't blindly defend governments, agencies or countries and attack someone just because their opinion or ideia doesn't fit on the "official version".
There is also a big deference between what I did (considering the ability to do something) and accuse them of doing something. You don't need evidence to think if they can or not do it.
> I'm talking about things that, according to leaks and official documents, they already did in the past and keep doing today.
Please cite an official document that shows the US government forcing GitHub to secretly modify the source code of a project in one of its repos.
As far as I'm aware, they've literally never done that, and to suggest they have means you have to show evidence that such a thing has taken place.
This is some Fox News level bullshit. "How do we know the FBI hasn't raped and murdered a girl in 1990? They've never come out and specifically stated they haven't!"
diminoten, you started by comparing one of @balls2you questions to a plan/plot/conspiracy. I commented saying that just because it's something you think that no government would ever do, doesn't means that they don't do it. I compared it to the NSA leaks, because until Snowden, everyone that talked about NSA (and other agencies) controlling the internet was called crazy. Now we now that those guys weren't that crazy.
I'm not saying that the US (or other country) government did change some code on some repo on Github, what I'm saying is: if they want, they can do it legally or illegally. Do you understand my comment now?
"Good germans," even years after war, were certain there's no way their government could have perpetrated something like the holocaust and were convinced it was just allied propaganda.
Hence the phrase "good germans" for people who believe anything the government tells them, without question, despite the history of government criminal activity, pretty much nonstop going back to the revolution. (Hell, imposing the constitution was done by a coup, there was no mechanism for replacing the prior government, so they just did it with fait accompli. That said, I wish we operated under that constitution, then there would be no need for these reports to reveal just how many people's (in bands of 250) constitutional rights are being violated.)
the thing about that claim is that they did try (LSD in drinking water as part of MKULTRA), that it didnt work doesnt really matter, if they thought they could again you could bet your bottom dollar that they would try again.