libtool
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .gitmodules security


From: Mike Frysinger
Subject: Re: .gitmodules security
Date: Sun, 6 Feb 2022 16:43:47 -0500

On 06 Feb 2022 14:59, Alex Ameen wrote:
> Hey, I can't claim to be an expert about this category of vulnerability; 
> but I appreciate you raising this concern.

it requires more than a MITM to be successful.  you'd also have to come up with
a sha1 collision which is non-trivial for most people.  not out of the reach of
nation states, but we prob aren't the target market :p.

i'm not against changing to https of course, just providing a bit more color.

> So is your recommendation to use 
> https://git.savannah.gnu.org/git/gnulib.git instead of 
> git://git.sv.gnu.org/gnulib.git?

i'll note that just about every GNU project utilizes gnulib is using the git://
style.  looks like gnulib itself only changed its advice about a year ago.
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?h=b7da35aebaeece97dd8946072952979bb67f8db2
-mike

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]