DE version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
20% Positive
Analyzed from 255 words in the discussion.
Trending Topics
#git#commit#don#responsible#disclosure#issue#gnu#forge#systems#pin

Discussion (5 Comments)Read Original on HackerNews
I don’t think this is true on either count: systems that pin to commits frequently don’t look at commit signatures at all, and there is no particular assumption of uniqueness between object IDs and contents (given that object IDs can point to each other across namespaces, e.g. a tag reference that peels to a commit).
(I also agree with the points below about this probably not being a useful form of malleability: there are a nearly infinite number of ways to “malleate” janky encodings like GPG packets and CMS. The much more interesting malleability is when an attacker forges a signature over contents the victim did not intend to sign, which is not demonstrated.)
I like your vastly simpler reproduction of the issue, too. :-)
Why would the author have disclosed the issue to GNU? As far as I know, they don't have anything to do with the development of Git. Perhaps it's because they run a Git server for their Savannah forge, but then again, so does pretty much every other forge out there, most of which are far more widely used.