David Craven <[email protected]> writes:
> The integrity of our source code is given by peer review - we are
> subscribed to the commits ML so we see other peoples commits.
If we're concerned about security (and we should be), then we should not
rely on the commits mailing list (or any web interface) to show us the
same set of commits that have been pushed to the repo. An attacker
could prevent some of those emails from reaching us, or modify them in
transit to introduce a malicious commit into our repository without it
being noticed.
It's better to "git pull" and read the commits directly out of our local
copy of the git repository.
Mark
