On Sun, Feb 12, 2017 at 04:55:14PM -0500, Mark H Weaver wrote: > David Craven <[email protected]> writes: > > The integrity of our source code is given by peer review - we are > > subscribed to the commits ML so we see other peoples commits. > > If we're concerned about security (and we should be), then we should not > rely on the commits mailing list (or any web interface) to show us the > same set of commits that have been pushed to the repo. An attacker > could prevent some of those emails from reaching us, or modify them in > transit to introduce a malicious commit into our repository without it > being noticed.
In fact, the guix-commits mailing list was not sending any messages for a few days recently: http://lists.gnu.org/archive/html/savannah-hackers-public/2017-02/msg00030.html
signature.asc
Description: PGP signature
