PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Uncategorized
58
Posts
47
Posters
2
Views
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Why would someone design it like that? What's the possible use case for this behavior?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Just fucking stop using github.
-
@max
A strong case can be made though that thepatchtool garbage erasure must only apply to initial “garbage”, rather than initial and inter-chunk garbage. That’s the aspect that causes the surprise here: VCS diffs only ever place commit metadata (including the message) before the actual patch, but thepatchtool allows this metadata (“garbage”) anywhere. At least forgit applythat is an obvious bug in and of itself.Secondly, given this
git showshould have exported the commit message with one leading space on every line, as that is the escaping mechanism specified bypatchfor “garbage” data.Doing both of the above changes would make for a robust mitigation on all levels.
@bmarinov @zekjur @musicmatze -
@zekjur Just fucking stop using github.
@zekjur @RandamuMaki I do wonder though, does gitlab or forgejo behave differently?
-
@zekjur Just fucking stop using github.
@RandamuMaki@mstdn.social @zekjur@mas.to What? Did you read anything in the post?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur … with git. other vcs do exist. i know, i know.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur is this a GitHub feature? Or something Debian developers set up? Or something in Git itself?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
@zekjur is this a GitHub feature? Or something Debian developers set up? Or something in Git itself?
@DecaturNature I think this must be a git-am thing. Absolutely wild.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur git never ceases to amaze. What a terrible footgun.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur not the first time: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081179
But at least in my case it was pretty harmless, and the worst effect was that 'dgit clone' was unexpectedly slow (which is how I spotted it).
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Looks like a Git problem.
-
@zekjur @RandamuMaki I do wonder though, does gitlab or forgejo behave differently?
@Natanox @zekjur @RandamuMaki Fossil does not do that anyway.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur in fact i did not know this 💔
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
What?! and how is a patch identified? any line that starts with a minus or plus?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Is it surprising that one would expect such a behavior? A big part of git interaction is about diffs.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur inband signalling will always have this failure mode
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur one calls it unsafe others an exploit 🤔
-
@DecaturNature I think this must be a git-am thing. Absolutely wild.
@DecaturNature to be clear: github doesn't apply patches to your code.* The way `git push` works is not based on patches. That is, as the level of surprise in the original post suggests, not how any of this works.
But `patch` and `git-am` do take arbitrary text input and apply it as a patch, and patches are not a good data format. `patch` for sure can be tricked.
*see next message
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@mora @quinta @mariosiniscalchi domandatevi con quale qualità e conseguenze sopravvive un culto che si concentra sui predicatori e non su una dottrina uniformata
-
Belated Christmas gift, a signed poster from an exhibit in Toledo. I love this! Need to get it framed and up in the studio. #art #inspiration #poster
-
@lakelady I followed along in the notes!
-
@ilarioq @economia sempre in Cina le fanno 😂. Non so ma, x fare un esempio, sulla Volvo EX30 montano in base all'allestimento, 2 tipi di batteria diverse: LFP (al litio-ferro-fosfato) e NCM (al nickel-manganese-cobalto). In ogni caso tra un mese, un anno, un decennio la tecnologia sarà migliorata e i numeri di oggi non avranno + valore
-
@akareilly "I'm sorry you didn't like what I did, but you shouldn't have been looking."
-
🎶MILANO-E-CORTINA OH-OH-OH-OH-OOOOH🎶 🫶🏻🫶🏻🫶🏻
-
@view is this the scrub diving suit visualization app?
-
@lemay When the paperwork asks breed, I'd put "orange" for my orange cat, because they're a separate farking species of animal.
