On Tue, Jun 11, 2013 at 3:16 PM, Ingo Malchow imalchow@kde.org wrote:
Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
Indeed, it'd be pretty hard to do. Since we use git, anyone trying to sneak something in would break history and likely get noticed.
That is not entirely true. Considering the live website is at best a git clone and not the main git repo (or just an automatic mirror of the git sources), all you'd need to get is access to the server, and secretly modifying the live sources.
Well yes, but...
You could also set up a git merge hook, where git are pulled and on top of that applies your backdoor again, so the sysadmins won't notice in first place. No git commits involved here. Just food for thoughts ;)
Which would subsequently show up on git-status. And if you tried to add your $secretFile to .gitignore, there'd be a change to .gitignore in the tree.
Impossible to do? No. But hard to do without tipping someone off, yeah, I'd say so. Heck, we spot the problem all the time when someone goes and makes a live hack without committing.
-Chad