[ZF] A couple of github issues
Matthew Wilkes
matthew at matthewwilkes.co.uk
Sat May 11 22:14:13 UTC 2013
Hi Jim,
(Replying to the original message first)
On 2013-02-10 20:56, Jim Fulton wrote:
> OK, so with this scheme, the vulnerability I see is that:
>
> - Someone on the CanAdd team could walk up to the github UI and add a
> non-contributor.
>
> Doing this would be a pretty significant foul and one that could be
> detected by monitoring the membership of the developer and CanAdd
> teams.
Actually, no. The CanAdd team only grants administrative access to newly
created repositories, but as the repo is part of an organisation you
need organisation admin to add people to teams. This means that only the
repository committee can add or remove members.
> This is a fairly small vulnerability.
I agree. We are already trusting contributors to not misrepresent their
commits.
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3760 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.zope.org/pipermail/foundation/attachments/20130511/a8c5f35a/attachment.p7s>
More information about the foundation
mailing list