On 2015-02-17 22:32, Lukas Pitschl wrote: > Hi all, > > <snip> > > The code that checks out our GPGTools_Core repository is pretty old already > and it’s certainly a stupid way to do it. > At the time we assumed that it was safe to check it out via ssl from github, > since curl would refuse to do so if there was a certificate error. Passing it > directly to bash is definitely a bad idea. > We’ve discussed this internally and decided on removing the automated > checkout completely. > By making it a manual task, everyone can checkout the code and verify that > it’s in fact the code they wanted to checkout. > We will also look through our build system and check for similar code if > there is. > > <snip>
Hi, How about working using the github flow[1][2] instead of commiting straight to master? This would force at least *one* other dev to quickly code-review anything making it into the master branch. It's not incredibly burdensome, but it adds a second pair of eyes to every line - something quite valueable in a security proyect, IMHO. Just my two cents, [1]: https://guides.github.com/introduction/flow/index.html [2]: http://scottchacon.com/2011/08/31/github-flow.html -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text?
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users