This is indeed a serious bug, but Pkg is already a system for distributing and executing arbitrary code, so it does not create any additional risk in our context. Pkg executes anything it finds in `deps/build.jl`, and that is a known and deliberate risc we take in order for packages to be able to install binary dependencies. We need to trust the package author to not put malicious code in his repo. Also almost all our packages are hosted on github, and they know about the problem, are blocking new attempts, and is scanning its existing repos for this exploit, so if you pull repos from github you should be safe.
There are good reasons to upgrade and it is great that the git community takes this serious, but your time is probably better spent actually reviewing the code you pull from random guys github repos than to worry about the ability to own your system 10 seconds earlier because you get hacked when typing > git clone # instead of 10 seconds later, when you type > make If you use git to access data, or to actually review code and diffs *before* executing it, and you use OSX or Windows and a less serious git host that Github, you should definitely update ASAP, but that's not a very common case for Julia users of Pkg. Regards Ivar kl. 09:06:40 UTC+1 fredag 19. desember 2014 skrev Tomas Lycken følgende: > > Some of you may already have seen this, but a critical git security > vulnerability has just been announced. In short, the vulnerability allows > *arbitrary > command execution on clients*, and affects *all case-insensitive file > systems*. > > Github published a nice summary [1] with links to a whole bunch of client > vendors who have released patches that fix this problem, as well as a > little more details (and links to a lot more details) on what the problem > was. > > I think it would be a good idea to update Julia to make sure that whatever > git version Pkg uses isn't exposed, although I'm not quite sure what is > required to do so. > > [1]: > https://github.com/blog/1938-vulnerability-announced-update-your-git-clients > > // Tomas >
