Bug#975005: git-stash: creates commits by without owning that domain

Tue, 17 Nov 2020 12:36:15 -0800 

Package: git
Version: 1:2.27.0-1~bpo10+1
Severity: minor

Hi, I noticed that "git stash" creates commits with this author and committer:

    git stash <git@stash>

This domain does not currently exist, but
someone could buy it from ICANN for about US$10,000 (I think).
That could cause exciting and weird bugs, such as
third-party scripts accidentally emailing classified changes to git@stash.

Please use a different domain that is either

  1) controlled by someone trustworthy (e.g. git/SFC, or Debian/SPI)
  2) is guaranteed (by RFCs) to fail

For comparison:

 * "canon" is an example gTLD owned by a company.

 * "ai" is an example ccTLD with working mail,
    i.e. <abuse@ai> is valid email address.

 * "invalid" is required to not work on the internet by some RFC (FIXME: which 
one?)

 * "example.com" apparently has an MX that deliberately doesn't work?
   I'm not sure if that is *guaranteed*, though.

Steps to reproduce:

    bash5$ git init
    Initialized empty Git repository in /tmp/with-temp-dir.XHK2wf/.git/
    bash5$ date >x
    bash5$ git add x
    bash5$ git commit -amx
    [master (root-commit) fe27c16] x
     1 file changed, 1 insertion(+)
     create mode 100644 x
    bash5$ date >x
    bash5$ git stash
    Saved working directory and index state WIP on master: fe27c16 x
    bash5$ git log --format=$'%aN <%aE>\n%cN <%cE>'
    Trent W. Buck <trentb...@gmail.com>
    Trent W. Buck <trentb...@gmail.com>
    bash5$ git log --all --format=$'%aN <%aE>\n%cN <%cE>'
    git stash <git@stash>
    git stash <git@stash>
    git stash <git@stash>
    git stash <git@stash>
    Trent W. Buck <trentb...@gmail.com>
    Trent W. Buck <trentb...@gmail.com>


-- System Information:
Debian Release: 10.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages git depends on:
ii  git-man          1:2.27.0-1~bpo10+1
ii  libc6            2.28-10
ii  libcurl3-gnutls  7.64.0-4+deb10u1
ii  liberror-perl    0.17027-2
ii  libexpat1        2.2.6-2+deb10u1
ii  libpcre2-8-0     10.32-5
ii  perl             5.28.1-6+deb10u1
ii  zlib1g           1:1.2.11.dfsg-1

Versions of packages git recommends:
ii  ca-certificates              20190110
ii  less                         551-1~bpo10+1
ii  openssh-client [ssh-client]  1:7.9p1-10+deb10u2
ii  patch                        2.7.6-3+deb10u1

Versions of packages git suggests:
ii  gettext-base                          0.19.8.1-9
pn  git-cvs                               <none>
pn  git-daemon-run | git-daemon-sysvinit  <none>
pn  git-doc                               <none>
pn  git-el                                <none>
ii  git-email                             1:2.27.0-1~bpo10+1
pn  git-gui                               <none>
pn  git-mediawiki                         <none>
pn  git-svn                               <none>
ii  gitk                                  1:2.27.0-1~bpo10+1
pn  gitweb                                <none>

-- debconf-show failed

Reply via email to