A Carnegie Mellon preprint shows that an attacker without the signing key can turn any signed commit into a second, content-identical commit that still earns a "Verified" badge and a different hash. The author says Git and GitHub have not fixed it.
Please explain what you mean and how this could be abused. What does “real” mean in this context? They both have the same code. It would probably help if you can provide a specific attack that could actually cause harm rather than just stating facts that have unclear risk.
My understanding is that you’d end up with two divergent histories and you can’t tell which one is the original. I don’t know how it could be abused off top of my head, but generally speaking people tend to find ways to abuse these kinds of things.
but looking back you have no way to tell which branch is the real one
Please explain what you mean and how this could be abused. What does “real” mean in this context? They both have the same code. It would probably help if you can provide a specific attack that could actually cause harm rather than just stating facts that have unclear risk.
My understanding is that you’d end up with two divergent histories and you can’t tell which one is the original. I don’t know how it could be abused off top of my head, but generally speaking people tend to find ways to abuse these kinds of things.