On Tue, Jun 11, 2013 at 3:16 PM, Ingo Malchow <imalchow(a)kde.org> wrote:
Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
Indeed, it'd be pretty hard to do. Since we
use git, anyone trying to sneak
something in would break history and likely get noticed.
That is not entirely true. Considering the live website is at best a git clone
and not the main git repo (or just an automatic mirror of the git sources),
all you'd need to get is access to the server, and secretly modifying the live
sources.
Well yes, but...
You could also set up a git merge hook, where git are
pulled and on
top of that applies your backdoor again, so the sysadmins won't notice in first
place.
No git commits involved here.
Just food for thoughts ;)
Which would subsequently show up on git-status. And if you tried to add
your $secretFile to .gitignore, there'd be a change to .gitignore in the tree.
Impossible to do? No. But hard to do without tipping someone off, yeah,
I'd say so. Heck, we spot the problem all the time when someone goes
and makes a live hack without committing.
-Chad