That’s part of the reason why I migrated HardenedBSD to self-host its git server. A few of the other reasons:
To make sure we control the infrastructure such that we have a “single source of truth” stored with security we can verify.
To enable access to our repos in different, unique ways (one way being via Tor Onion Service).
To have better access control with audit logs.
For full continuous integration, even if the infrastructure is offline. Next year, I plan to set up an out-of-band comms channel (LTE modem) to be able to access our infrastructure even if my hosting provider’s network goes down. I’ll set it up such that I can still do development and push commits to the git server over the LTE connection.
If only we’d trained people to curl random files from the internet that look vaguely sane from the URL, and pipe them straight into a root shell to execute commands 🤔
This is how youtube-dl ended up inside the github/dmca repo.
I understand the situation in the OP, but why is this happening?Edit: ah, someone forked that repo and pushed the full source. It is the same situation as the OP.
That’s part of the reason why I migrated HardenedBSD to self-host its git server. A few of the other reasons:
Do you run any frontend for git like cgit, gitea or gitlab or the likes? Or just plain old git, ssh and email?
We use Gitea: https://git-01.md.hardenedbsd.org/
Pretty cool, and I’m sure some day once this “low impact” issue has been long forgotten, someone will be able to execute an actual hack with this.
If only we’d trained people to curl random files from the internet that look vaguely sane from the URL, and pipe them straight into a root shell to execute commands 🤔
This however is an actual and my only Linux kernel commit : https://github.com/torvalds/linux/commit/b7b1d645bb7a3dab4be9d4114cbe319b67a45c01#diff-e1c95aa5c1a33cdd6bd89a7ce910d4b2 - no trickery involved and I’m proud of it!