On 08/24/2016 09:04 AM, Johannes Schindelin wrote: > Hi Philip, > > On Mon, 22 Aug 2016, Philip Oakley wrote:
>> I do note that dscho's patches now have the extra footer (below the three >> dashes) e.g. >> >> Published-As: https://github.com/dscho/git/releases/tag/cat-file-filters-v1 >> Fetch-It-Via: git fetch https://github.com/dscho/git cat-file-filters-v1 <snip> > I considered recommending this as some way to improve the review process. > The problem, of course, is that it is very easy to craft an email with an > innocuous patch and then push some malicious patch to the linked > repository. It should be possible to verify the SHA1 of the blob before and after the patch is applied given the values listed near the beginning of the git diff output. So, for instance, if I apply the malicious patch to my local repository, the SHA1 of the resulting blob would not match what was listed in at least one of the diffs. But whether that is sufficient for verification depends on the work flow. Are patches typically applied on the blob that corresponds to the first SHA1 value listed in the diff for that file?
