Git 1.7.9 offers more secure modification requests
Junio C Hamano has released version 1.7.9 of the Git source code management system. When requesting modifications via "Git pull", developers can now use "signed tags" to ensure that the code hasn't been modified after the pull request was submitted.
The technology is an indirect consequence of the break-in at kernel.org and a result of the kernel developers having checked some of their working methods for vulnerabilities after the incident. During their checks, they noticed that a potential attacker's changes to a Git repository can go unnoticed. Hamano explains how this could happen if the changes are made after a subsystem maintainer has submitted the repository and asked Linus Torvalds to integrate the changes it contains into the main development branch of Linux. Together with existing integrity checks, the new signatures remove this potential threat. Similarly to GPG/PGP-signed emails, they will allow Torvalds to ensure that he is merging the exact changes that were submitted in the Git pull request by the subsystem maintainers – who, in Git jargon, are also called "lieutenants".
Hamano explains several other new features of version 1.7.9 in the release email and in the announcement blog post. Changes include the increased use of the internationalisation framework and improvements to the system's large file support; the developers have also integrated a number of changes that had accumulated since early 2011. In another email, Hamano describes the potential changes that are lined up for Git 1.7.10.