Home/ Questions/Q 7667489
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T15:06:58+00:00

On GitHub: Eve writes some code in her fork of some popular project, commits

  • 0

On GitHub:

Eve writes some code in her fork of some popular project, commits as "Eve" <eve@example.com>, and sends a pull request upstream.

Alice doesn’t notice that Eve’s code contains a backdoor to the popular project that she works on, thinks the code is great, and merges the pull request.

Later, everyone gets owned.

Bob, Alice’s boss, would like to fire whomever landed the code. He does a git log --full, and sees:

commit deadbeef
Author: Eve <eve@example.com>
Commit: Eve <eve@example.com>

git log --fuller doesn’t help, and Eve doesn’t have direct push rights to the repository.

Bob can dig around the pull request history, and find it that way, but that sucks. Is there a way to figure this out locally?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In general with git, you could use git signoff (see What is the Sign Off feature in Git for?) and then add a update hook to reject any pushes that don’t have a signoff. However, GitHub doesn’t seem to allow custom hooks in general, but you could add a post-receive-hook to log all future push events:

    http://help.github.com/post-receive-hooks/

    If this was an event that already happened, it might be hard (or impossible?) to track down.
    You might be able to look at the git reflog and ssh logs, but I’m not sure whether GitHub provides such information. If it really was a security breach, it might at least be worth asking them what logs they have.

    • 0