[prev in list] [next in list] [prev in thread] [next in thread] 

List:       git
Subject:    Re: git log -p unexpected behaviour - security risk?
From:       John Tapsell <johnflux () gmail ! com>
Date:       2013-04-30 19:31:03
Message-ID: CAHQ6N+pDeeZBabiArTXJy9POv10xCBU+=46YdYmW0Ge1qVgUCA () mail ! gmail ! com
[Download RAW message or body]

On 30 April 2013 18:58, John Szakmeister <john@szakmeister.net> wrote:
> On Tue, Apr 30, 2013 at 1:05 PM, Matthieu Moy
> <Matthieu.Moy@grenoble-inp.fr> wrote:
>> Junio C Hamano <gitster@pobox.com> writes:
>>
>>> By the way, these options are _not_ about "showing merge commits
>>> that introduce code", and they do not help your kind of "security".
>>> As I repeatedly said, you would need "-p -m" for that.
>>
>> Actually, while defaulting to --cc may be convenient, it would indeed
>> increase the security risk: currently, "git log -p" shows nothing for
>> merges, so it's rather clear that _everything_ is omitted. With --cc,
>> the user would see a diff, and could hardly guess that not everything is
>> shown without reading the doc very carefully.
>
> I don't believe it's that clear.  I bet people assume there's nothing
> to show, and unless you dig in and discover that `-p` doesn't include
> merges.  In git 1.8.2, `git help log` doesn't seem to make any mention
> of `-p` not showing a diff for merges.
>
> Just to see, I asked several people around here whether they knew `-p`
> didn't show diffs for merges, and they were all surprised that diffs
> were being omitted for merge commits.

Is there no way to fix --cc to work even in the edge cases?

John
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]