Ironically, Homebrew uses git to update its package metadata, but presumably you... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tlrobinson on Dec 18, 2014 | parent | context | favorite | on: Git client vulnerability announced

Ironically, Homebrew uses git to update its package metadata, but presumably you already trust Homebrew to not deliver malicious software (I also don't know if "pull" is vulnerable, or just "clone" and "checkout". Also Homebrew is hosted on Github, which now scans/blocks malicious repos)

raverbashing on Dec 19, 2014 | [–]

> I also don't know if "pull" is vulnerable, or just "clone" and "checkout

Yes it is

Now if you just do fetch and don't merge/rebase you're safe, still, this is a very rare occurence

lugg on Dec 19, 2014 | [–]

Further ironically how many people just did a

    brew update && brew upgrade

Without the git part specifically.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact