1

(This question was closed at stack- overflow, superuser and web application. Now i got sent here.)

The repository league/iso3166 changed the source
from https://github.com/thephpleague/iso3166.git
to https://github.com/alcohol/iso3166.git.

The user alcohol posted at https://github.com/alcohol/iso3166/issues/111

I made this package years ago under the league organization because someone suggested I do so, and I figured, why not. But at the same time I also maintain another ISO package, which has always existed under my own account.

Because I am short on time, and want to simplify things to make my own life easier, I'm looking at ways to bring both packages more in sync (interfaces wise but also infrastructural). One of the first steps, was to simply move the repository from the league organization to my own personal account.

So no, it's not a hijacking or anything along those lines. It's just me slowly making things easier for myself.

How can one verify if this repository transfer is legitimate and the account hasn't been compromised?

From the superuser comments it seems like one cannot be sure. But how do we handle this?

In the mean time I feel like this cannot be answered, but I would feel stupid continuing without even asking.

Improve this question
1
  • 7
    If a proprietary software project told you then were changing their website, how would you tell if the company had been compromised? If your bank told you they were changing their systems, how would you tell if the bank had been compromised? Or from recent history: if you were buying pagers, how would you tell if the company you were buying from is really the company you thought it was? tl;dr: I'm voting to close this because it isn't an open source problem. Commented Jan 27 at 13:34

1 Answer 1

Reset to default
4

There is no fool-proof or one way to make sure that this transfer or any other is legitimate. And this issue is not exclusive to open source, but may be more visible here.

git meanwhile offers signing commits, but so do other version control systems like mercurial. Thus if the commits from the same author on the same repository have been signed before and after, you can be reasonably sure it is legitimate (because the very same person says so and you could verify the signature on the commits.

Slightly less, but you can still reasonably sure if the commits come from the same author - but then that's rather easily changed at commit time. Of course you can always reach out to the author(s) when their commit e-mail is mentioned in the commits - thus verification via other channels than just looking at the repository.

There can be other way - but they mostly will boil down to: talk to people, establish a web of trust and cross-verify references, where needed.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.