[Igglyboo]

How would you subtly add code to repositories without breaking git?

[peterwaller]

If you ever click "merge pull request", github makes the merge commit for you. That means they get to decide the SHA and the full contents of the commit. I'll leave the potential consequences as an exercise to the reader.

I guess the only protection against this would be to either never press the merge button in github, or repeat the merge locally and check there is no diff against the remote merge.

[Igglyboo]

Even if you do this you could still see the changes if you pulled down the repo and examined it.

[revelation]

By breaking SHA1, obviously.

[wongarsu]

By breaking SHA1 you could covertly edit older commits, but existing contributors would still have the original version. As soon as somebody edits code at the intrusion it would be discovered because it would merge cleanly locally but cause a merge conflict on github.

Of course on big projects a lot of the code isn't touched in years but we're talking about revealing that somebody broke SHA1. It sounds very risky given the stakes.

[erdeszt]

Commit hashes are not a security feature but you can sign your commits with gpg.

[wongarsu]

Some projects sign their release commits and tags, some even their merge commits, but I have never seen a project which actually signs every commit.

The reasoning is always that you are actually signing the whole commit chain because your commit is liked to every previous one by the commit hashes.

[erdeszt]

True but I was just mentioning the possibility not the best practices for using it.

[jasonmp85]

And if people actually signed their commits and tags?