add Rebased to list of git GUIs

[DetachHead]

Changes

• adding https://github.com/detachhead/rebased to the list of git GUIs

Context

after this issue on YouTrack gained hundreds of upvotes, jetbrains released a closed preview for an experimental git client. however they unfortunately cancelled the project after a few months, so i decided to fork intellij to create my own version.

[dscho]

I am quite certain that we should refrain from merging this PR any time soon, given this warning:

[DetachHead]

Fair enough. Will close this until I feel like it's stable enough to remove that warning

[DetachHead]

i've just released version 1.0 and removed that warning as i believe it's stable now :)

[DetachHead]

as far as i can tell it looks like the failed CI isn't related to my change

[dscho]

I went through the fork delta (the changes on top of upstream IntelliJ Community) and did not find anything malicious. I appreciate that the fork actually disables JetBrains' analytics/telemetry registration -- that is a net positive. The code itself looks fine.

That said, I have a few concerns about the build and distribution pipeline that I think should be addressed before we list this.

The .gitmodules file uses git://git.jetbrains.org/idea/android.git for the Android submodule -- that is plaintext, unauthenticated transport. Since the CI workflows fetch submodules with submodules: true as part of the release build, this weakens the integrity of the build chain.

The macOS distribution is explicitly unsigned. The README tells users to run xattr -rd com.apple.quarantine to bypass Gatekeeper. I understand this is common for small open-source projects, but it is a hard sell for something we would recommend on git-scm.com.

In ide_build_and_upload.yml, the AppImage build downloads appimagetool from GitHub via wget without verifying a checksum. And in IntelliJ_IDEA.yml, the release job uses marvinpinto/action-automatic-releases@v1.2.1 pinned by tag rather than commit SHA, while other actions in the same repo do use SHA-pinned references. Tag-pinned actions are susceptible to tag rewriting by upstream.

Release checksums and SBOMs are generated in CI but not actually published to the release page, so users have no way to verify what they download.

None of these are "the code is dangerous" -- to reiterate, the code itself looks clean. But distribution hygiene matters for something we endorse on the official Git website.

[DetachHead]

thanks for the review. i'm aware of most of these issues, some are unfortunately inherited from the upstream intellij-community repo, and some i'm already working to address.

The .gitmodules file uses git://git.jetbrains.org/idea/android.git for the Android submodule -- that is plaintext, unauthenticated transport. Since the CI workflows fetch submodules with submodules: true as part of the release build, this weakens the integrity of the build chain.

yeah unfortunately the intellij-community repo seems to be highly dependent on that repo. it's unfortunate because rebased itself does not depend on anything android-related, but i haven't been able to figure out how to get it to build without it.

i do believe i've made it a bit more secure though. it used to be a separate bash script that clones the repo at the master branch, but i've updated it to be a git submodule pinned to a specific hash. i do still want to try to get rid of it entirely though (DetachHead/rebased#11)

In ide_build_and_upload.yml, the AppImage build downloads appimagetool from GitHub via wget without verifying a checksum.

And in IntelliJ_IDEA.yml, the release job uses marvinpinto/action-automatic-releases@v1.2.1 pinned by tag rather than commit SHA

will fix, thanks

The macOS distribution is explicitly unsigned. The README tells users to run xattr -rd com.apple.quarantine to bypass Gatekeeper. I understand this is common for small open-source projects, but it is a hard sell for something we would recommend on git-scm.com.

i'm in the process of getting a certificate for signing the windows releases through signpath, see DetachHead/rebased#178 (comment). if something similar exists for macOS i'd be happy to do that. i just hate the idea of having to bribe a company just to "prove" that my application is safe

Release checksums and SBOMs are generated in CI but not actually published to the release page, so users have no way to verify what they download.

this issue was also inherited from the upstream repo. honestly i didn't know what the SPDX files were so i just left them as-is (assuming that's what you mean by SBOMs?). i'll look into including them in the releases.

as for the checksums, uploading those is redundant IMO because github already shows checksums next to each release asset:

[DetachHead]

i've addressed most of your concerns in DetachHead/rebased#212. the only outstanding point is the one regarding the macOS version being unsigned.

i've also made some other security improvements:

• added zizmor, a linter that detects security issues with github actions (add zizmor to ci DetachHead/rebased#211)
• enabled immutability for future releases

[dscho]

Thank you for improving the security stance of Rebased.

As far as accepting this PR, I am uncomfortable making the decision on my own what UIs are okay to advertise on git-scm.com, so I'll not merge this unless another person with write permission on this repository chimes in and is in favor.