Re: .gitmodules security

[Mike Frysinger]

On 07 Feb 2022 00:19, Vincent Lefevre wrote:
> On 2022-02-06 16:43:47 -0500, Mike Frysinger wrote:
> > it requires more than a MITM to be successful. you'd also have to
> > come up with a sha1 collision which is non-trivial for most people.
> > not out of the reach of nation states, but we prob aren't the target
> > market :p.
> 
> I don't understand why you would need a sha1 collision, while you
> don't have a sha1 to compare with: say, the current local status is
> at a commit common to the real repository and to a fake repository,
> then the remote repositories diverge: with a "git fetch" only, how
> can you distinguish the real new commits and the fake new commits?

the repository is pinned to a specific commit as you can see online:
https://git.savannah.gnu.org/cgit/libtool.git/log/gnulib

so the normal git clone + submodule sync requires a sha1 collision.

if someone were to manually update the submodule to a newer version,
then you only have to MITM new fake commits, but presumably a commit
updating the pin would be detected fairly quickly as no one else is
going to have those commits injected.
-mike

signature.asc
Description: PGP signature