| ▲ | perihelions 4 days ago | |||||||
Not so. GitHub would remember who you are; advertise to you and to you only a set of fake checksums consistent with your fake view of the repo. Your git client would see nothing amiss—your local fake checksums are consistent with the fake checksums the server sent you. Having accepted your push, the server would ignore the fake checksums, extract the content of your patch, apply it to the genuine repo, and compute a new set of checksums, extending the other checksum tree as if you had pushed directly to it. That's what an MITM is. | ||||||||
| ▲ | saagarjha 4 days ago | parent [-] | |||||||
This falls apart instantly if you share a hash with anyone else, though. Which is exactly what happens when you send in a PR | ||||||||
| ||||||||