• kevincox@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    5 hours ago

    I don’t understand. Why does having two commit IDs with the exact same code cause problems.

    A green “Verified” badge on GitHub is supposed to mean that a trusted author signed it

    The author did sign it. It is the exact same code.

    An attacker can reissue the same signed code under a fresh ID that’s still verified to slip past.

    To split past what? At best it seems that they would be able to have a different ID for the exact same code, which seems harmless? Slightly confusing at worst.

    Nix also doesn’t use PGP signatures, it requires a separate hash of the resulting commit (the files with the .git directory stripped by default).

    • ☆ Yσɠƚԋσʂ ☆@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      5 hours ago

      Right, it’s not a serious exploit which would allow changing code, but it does allow compromising integrity because changing the id mutates history.

    • jatone@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      5 hours ago

      sounds like the author thinks because their purist definition is violated its a problem vs it actually being a problem. im in the same boat as you. I dont see the issue with the commit hash changing long as the code doesnt change.