A Carnegie Mellon preprint shows that an attacker without the signing key can turn any signed commit into a second, content-identical commit that still earns a "Verified" badge and a different hash. The author says Git and GitHub have not fixed it.
sounds like the author thinks because their purist definition is violated its a problem vs it actually being a problem. im in the same boat as you. I dont see the issue with the commit hash changing long as the code doesnt change.
sounds like the author thinks because their purist definition is violated its a problem vs it actually being a problem. im in the same boat as you. I dont see the issue with the commit hash changing long as the code doesnt change.