Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The question is whether recursive submodule checkout happens after some integrity/signature validation or before. The RCE can be an issue in the latter case.


There would also have to be a compromise of the transport (i.e. a MITM of HTTPS or SSH) to use this in most practical scenarios.


It still weakens the security, otherwise why bother with integrity/signature checks if you trust the git remote?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: