@craigbro@emacs.ch avatar

craigbro

@craigbro@emacs.ch

No War But Class War!

Life-long FOSS user and developer. Clojurist and emacs enjoyer.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

craigbro, to random
@craigbro@emacs.ch avatar

Recent CVE in allowing RCE when cloning a repo, see https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv

Note it says, "As always, it is best to avoid cloning repositories from untrusted sources."

Now consider how many languages will clone a repo of a transitive dependency, or direct dependency at time of dep resolution -- often before any dep analysis/presentation tools could give you a means to evaluate the transitive git deps.

Like , one of my favorites. I have not review dep resolution/fetch code in other languages, but it seems that they should all heed the advice in that advisory.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • magazineikmin
  • osvaldo12
  • GTA5RPClips
  • mdbf
  • Youngstown
  • tacticalgear
  • slotface
  • rosin
  • kavyap
  • ethstaker
  • everett
  • khanakhh
  • JUstTest
  • DreamBathrooms
  • InstantRegret
  • cubers
  • normalnudes
  • Leos
  • ngwrru68w68
  • cisconetworking
  • modclub
  • Durango
  • provamag3
  • anitta
  • tester
  • lostlight
  • All magazines
    •