PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Uncategorized
14
Posts
9
Posters
2
Views
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Malicious prompts in commit messages when?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
FWIW, git cherry-pick works as expected (at least)
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
@zekjur this cannot be intentional. No way.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur The commit-message should explain the "why", not the "how".
So when one needs a full diff (that can be retrieved by git itself) to explain the "why" ... I'd consider that an ... interesting edge-case...
-
@zekjur The commit-message should explain the "why", not the "how".
So when one needs a full diff (that can be retrieved by git itself) to explain the "why" ... I'd consider that an ... interesting edge-case...
@heiglandreas Have you actually read the commit message in question? It’s perfectly reasonable.
-
FWIW, git cherry-pick works as expected (at least)
@zekjur cherry-pick does only work if it has been committed already.
If you receive a patch by email, you have to apply it first.
IMO this is clearly an attack vector for projects. -
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur I wonder whether it is reproducible with gix... but I am not sure whether they already have "git-am" reimplementd.
-
@heiglandreas Have you actually read the commit message in question? It’s perfectly reasonable.
@zekjur I have read the commit message.
Whether that is reasonable is ... debatable.
Adding an actual commit with the change and explaining why it was done that way and then adding a second commit removing it with the respective why would have been a better option separating code and explanation.
Alternatively explaining that a test with `sleep(1)` after line xyz was done.
But perhaps that is the `edge-case` I was talking about? 🤷
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur gotcha - or rather: gitcha!
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur FWIW I reported this to the git ML... lets see
-
-
undefined swelljoe@mas.to shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@aeva :o
-
always fun when the lines between open source projects start to blur
-
Queste Olimpiadi sono una grande sfida! Queste Olimpiadi sono un importante banco di prova per l'Italia! Il significato di Milano Cortina va ben oltre lo sport!
Io questa sfida l'ho stravinta fregandomene il cazzo alla grandissima
-
Per arrivare preparati 2) Vite da medaglia - RaiPlay https://www.raiplay.it/programmi/vitedamedaglia
-
La generazione di codice da parte di LLM integrati negli IDE può essere di due tipi:
1) quelli cui date il vostro codice chiedendo di farci qualcosa sopra; il dato è: gli date il vostro codice, ovvero le chiavi dell’azienda
2) quelli cui dite di generare una soluzione; il dato è: usano il codice che qualcun altro ha dato loro, ovvero ricettazione.«Però ci metto tre minuti a fare una cosa di mesi.»
E fra un po’ manco quei tre minuti, vai a guardare i lavori in corso con le mani dietro.
-
Latest VirtualBox Code Begins Supporting KVM Backend
As of this week Oracle's latest VirtualBox development code begins to work with Linux's native KVM back-end. Support for KVM or other native OS hypervisors in conjunction with VirtualBox has long been sought and it's finally becoming a reality...
https://www.phoronix.com/news/VirtualBox-Upstream-With-KVM
-
@benroyce 400 years ... and it's always the same ...
Great Great Ian McKellen.
Beautifull and simple message.
-
@mikkaels Latouche è una pietra miliare! I francesi comunque sono sul pezzo con questo argomento e c’è molto fermento attorno. Per esempio Timotheé Parrique (che ho indicato nel pensiero). @postgrowth
