Git Vulnerability with Edward Thomson

Git is a distributed file system for version control. Git is extremely reliable, fast, and secure, owing to the fact that it is one of the oldest pieces of open source software. But even battle-tested software can have vulnerabilities. In this episode, we explore a subtle git vulnerability that could have potentially led to git users executing malicious scripts when they intended to simply pull a repository.

Today’s guest Edward Thomson is a program manager at Microsoft, and a maintainer of libgit2, a C implementation of git. He also writes about git and hosts the podcast All Things Git. He is passionate about git development, which gave me a deeper perspective on something that I just consider a tool. But the only reason that tool is so good–the only reason it fades into the background–is because there are people that are passionate enough to work on it on a regular basis.

We also spent some time talking about the vulnerabilities that can spread through shared code environments–particularly in the realm of git, npm, and PHP. And we touched on how deployment workflows around git and Kubernetes are changing. Full disclosure: Microsoft, where Edward works, is a sponsor of Software Engineering Daily.

Transcript

Transcript provided by We Edit Podcasts. Software Engineering Daily listeners can go to weeditpodcasts.com/sed to get 20% off the first two months of audio editing and transcription services. Thanks to We Edit Podcasts for partnering with SE Daily. Please click here to view this show’s transcript.


Sponsors

Hired is a career marketplace that intelligently matches tech talent with the world’s most innovative companies. We combine cutting-edge technology with unbiased career coaching so both talent and employers can find the right fit, faster. We are on a mission to find everyone a job they love. Go to hired.com/sedaily, and get $600 free, if you find a job through Hired.

Datadog is a cloud-scale monitoring and analytics platform, providing deep, end-to-end visibility into the health and performance of modern applications. Try it yourself by starting a free, 14-day trial today. Listeners of this podcast will also receive a free Datadog T-shirt! softwareengineeringdaily.com/datadog

Raygun provides full stack error, crash, and performance monitoring for tech teams. Head over to softwareengineeringdaily.com/raygun, get up and running within minutes, and dramatically improve the online experiences of your users.

Flatiron School is an outcomes-focused coding bootcamp, offering transformative education in person and online. Start learning for free at flatironschool.com/sedaily and get $500 off your first month of Flatiron’s Online Data Science Bootcamp or Online Web Developer Program.