8

On GitHub:

Eve writes some code in her fork of some popular project, commits as "Eve" <eve@example.com>, and sends a pull request upstream.

Alice doesn't notice that Eve's code contains a backdoor to the popular project that she works on, thinks the code is great, and merges the pull request.

Later, everyone gets owned.

Bob, Alice's boss, would like to fire whomever landed the code. He does a git log --full, and sees:

commit deadbeef
Author: Eve <eve@example.com>
Commit: Eve <eve@example.com>

git log --fuller doesn't help, and Eve doesn't have direct push rights to the repository.

Bob can dig around the pull request history, and find it that way, but that sucks. Is there a way to figure this out locally?

Dead Pixel
  • 323
  • 1
  • 8

1 Answers1

3

In general with git, you could use git signoff (see What is the Sign Off feature in Git for?) and then add a update hook to reject any pushes that don't have a signoff. However, GitHub doesn't seem to allow custom hooks in general, but you could add a post-receive-hook to log all future push events:

http://help.github.com/post-receive-hooks/

If this was an event that already happened, it might be hard (or impossible?) to track down. You might be able to look at the git reflog and ssh logs, but I'm not sure whether GitHub provides such information. If it really was a security breach, it might at least be worth asking them what logs they have.

Community
  • 1
  • 1
amcnabb
  • 2,161
  • 1
  • 16
  • 24
  • Thanks for the pointer to Git Signoff, never seen that before, that might be nice going forward. – Dead Pixel Mar 20 '12 at 22:11
  • 1
    After poking around, as far as I can tell, this is pretty impossible. The other suggestion I've gotten is that we should simply never use the automatic merge button on github -- instead, do a local checkout and merge dance to explicitly assign committers to everything. – Dead Pixel Mar 23 '12 at 20:41