Menu
On GitHub:
Eve writes some code in her fork of some popular project, commits as "Eve" <[email protected]>, and sends a pull request upstream.
Alice doesn't notice that Eve's code contains a backdoor to the popular project that she works on, thinks the code is great, and merges the pull request.
Later, everyone gets owned.
Bob, Alice's boss, would like to fire whomever landed the code. He does a git log --full, and sees:
commit deadbeef
Author: Eve <[email protected]>
Commit: Eve <[email protected]>
git log --fuller doesn't help, and Eve doesn't have direct push rights to the repository.
Bob can dig around the pull request history, and find it that way, but that sucks. Is there a way to figure this out locally?
378
In general with git, you could use git signoff (see What is the Sign Off feature in Git for?) and then add a update hook to reject any pushes that don't have a signoff. However, GitHub doesn't seem to allow custom hooks in general, but you could add a post-receive-hook to log all future push events:
http://help.github.com/post-receive-hooks/
If this was an event that already happened, it might be hard (or impossible?) to track down. You might be able to look at the git reflog and ssh logs, but I'm not sure whether GitHub provides such information. If it really was a security breach, it might at least be worth asking them what logs they have.
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
