PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Uncategorized
58
Posts
47
Posters
2
Views
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur is this a GitHub feature? Or something Debian developers set up? Or something in Git itself?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
@zekjur is this a GitHub feature? Or something Debian developers set up? Or something in Git itself?
@DecaturNature I think this must be a git-am thing. Absolutely wild.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur git never ceases to amaze. What a terrible footgun.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur not the first time: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081179
But at least in my case it was pretty harmless, and the worst effect was that 'dgit clone' was unexpectedly slow (which is how I spotted it).
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Looks like a Git problem.
-
@zekjur @RandamuMaki I do wonder though, does gitlab or forgejo behave differently?
@Natanox @zekjur @RandamuMaki Fossil does not do that anyway.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur in fact i did not know this 💔
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
What?! and how is a patch identified? any line that starts with a minus or plus?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Is it surprising that one would expect such a behavior? A big part of git interaction is about diffs.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur inband signalling will always have this failure mode
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur one calls it unsafe others an exploit 🤔
-
@DecaturNature I think this must be a git-am thing. Absolutely wild.
@DecaturNature to be clear: github doesn't apply patches to your code.* The way `git push` works is not based on patches. That is, as the level of surprise in the original post suggests, not how any of this works.
But `patch` and `git-am` do take arbitrary text input and apply it as a patch, and patches are not a good data format. `patch` for sure can be tricked.
*see next message
-
@DecaturNature to be clear: github doesn't apply patches to your code.* The way `git push` works is not based on patches. That is, as the level of surprise in the original post suggests, not how any of this works.
But `patch` and `git-am` do take arbitrary text input and apply it as a patch, and patches are not a good data format. `patch` for sure can be tricked.
*see next message
@DecaturNature Exception: github does apply patches in case of rebase/merge, but those are patches specifically generated by diffing trees, never patches provided by users (much less commit messages).
I'm not sure we even do that using any kind of custom code - probably we just use git.
I'm a GitHub employee.
To quibble with the framing of the original: the unsafe behavior is using `patch` to apply patches - good reminder to be super careful doing that. yow
-
@zekjur one calls it unsafe others an exploit 🤔
@TheOneDoc @zekjur
patch is an interpreter that runs as you and can write the file system ... -
@TheOneDoc @zekjur
patch is an interpreter that runs as you and can write the file system ...In this space it's safe to assume that everyone knows what patch and diff are.
Just in case I have to explicitly point it out workflows can have exploits not only software. In fact usually the human is the easiest exploit vector.
Edit: That sounded meaner than intended, sorry. Changed.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur this is a solved problem. all my commit messages are simply "updates" 👍
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur patch(1) has an excuse, but git-am should know better. Security bug in it IMHO.
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@mora @quinta @mariosiniscalchi domandatevi con quale qualità e conseguenze sopravvive un culto che si concentra sui predicatori e non su una dottrina uniformata
-
Belated Christmas gift, a signed poster from an exhibit in Toledo. I love this! Need to get it framed and up in the studio. #art #inspiration #poster
-
@lakelady I followed along in the notes!
-
@ilarioq @economia sempre in Cina le fanno 😂. Non so ma, x fare un esempio, sulla Volvo EX30 montano in base all'allestimento, 2 tipi di batteria diverse: LFP (al litio-ferro-fosfato) e NCM (al nickel-manganese-cobalto). In ogni caso tra un mese, un anno, un decennio la tecnologia sarà migliorata e i numeri di oggi non avranno + valore
-
@akareilly "I'm sorry you didn't like what I did, but you shouldn't have been looking."
-
🎶MILANO-E-CORTINA OH-OH-OH-OH-OOOOH🎶 🫶🏻🫶🏻🫶🏻
-
@view is this the scrub diving suit visualization app?
-
@lemay When the paperwork asks breed, I'd put "orange" for my orange cat, because they're a separate farking species of animal.
