You are at a security level where it is acceptable to use random guys software downloaded from the internet, that explicitly says in the licence that you are offered NO guarantees for anything. The software is so complex that it is impossible for you to review even a fraction of it for security (or else you would have reported numerous bug reports when you discovered unrelated things along the way). Stefan and Jeff seems to be following code updates in the Julia repository closely, but I don't know how many others review every commit. They have also given away Push access to lots of random people, some whom he has never even met in person.
I would not worry too much about the possibility that your sysadmin might change something that might compromise your system. He has access anyway. Large scale attackers (at the ISP layer) will probably attack protocols that are more used than git over https with a fake certificate. They will not know who verifies signatures and who does not. Ivar kl. 12:45:48 UTC+2 fredag 1. august 2014 skrev Florian Oswald følgende: > > that does sound worrying. I doubt the admin wants to know what I'm > downloading but rather get (temporarily) rid of a problem. Does that > compromise the security of the hpc system or does it mean someone could > hack my github account? > > > On 1 August 2014 08:02, <[email protected] <javascript:>> wrote: > >> Sounds like a bad idea. If the SSL cert is not correct in your >> configuration (whereas it is in the outside world) it becomes clear that >> your admin just want to know what you are downloading. >> >> Basically, he told you "Please let us perform MITM attack on your >> connexion. To make our job easier, please desactivate all the SSL checks so >> that our cert (and maybe others) are accepted". >> >> The extra downside is that now anyone can alter the data you are >> downloading and you won't have the slightest idea this is happening (if >> that happens). >> > >
