Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
perihelions 4 days ago

Because GitHub can serve different bytes to different people. You log in as one of the project's devs, you get your own consistent, correct view of your project; some other people get malware instead. How do you reconcile the full picture? No one distrusts GitHub. There's no public log which git tools generically check against to see if GitHub is attempting something evil, the way they do with certificate transparency. GitHub is the public log.

Git may be designed as a distributed VCS; and it'd be a different situation if it were used that way in practice. For many projects, GitHub has a full MITM. They could even—forget about the checksums—bifurcate the views in between devs—accept commits from one dev, send over those commits with translated Merkle trees to another dev who has a corrupted history, and they'd never figure it out.

BobaFloutist 4 days ago | parent | next [-]

What happens when a dev tries to patch a bug in the malware and nobody can tell what the hell they're talking about?

saagarjha 4 days ago | parent | prev [-]

Yes, but the moment you try to push your local git will complain that you are not aligned with the upstream repo.

perihelions 4 days ago | parent [-]

Not so. GitHub would remember who you are; advertise to you and to you only a set of fake checksums consistent with your fake view of the repo. Your git client would see nothing amiss—your local fake checksums are consistent with the fake checksums the server sent you. Having accepted your push, the server would ignore the fake checksums, extract the content of your patch, apply it to the genuine repo, and compute a new set of checksums, extending the other checksum tree as if you had pushed directly to it. That's what an MITM is.

saagarjha 4 days ago | parent [-]

This falls apart instantly if you share a hash with anyone else, though. Which is exactly what happens when you send in a PR

account42 4 days ago | parent [-]

Most projects on GitHub have you submit PR's via GitHub infrastructure so they have total control over who sees what there as well.