[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .gitmodules security

From: Mike Frysinger
Subject: Re: .gitmodules security
Date: Sun, 6 Feb 2022 19:49:36 -0500

On 07 Feb 2022 00:19, Vincent Lefevre wrote:
> On 2022-02-06 16:43:47 -0500, Mike Frysinger wrote:
> > it requires more than a MITM to be successful. you'd also have to
> > come up with a sha1 collision which is non-trivial for most people.
> > not out of the reach of nation states, but we prob aren't the target
> > market :p.
> I don't understand why you would need a sha1 collision, while you
> don't have a sha1 to compare with: say, the current local status is
> at a commit common to the real repository and to a fake repository,
> then the remote repositories diverge: with a "git fetch" only, how
> can you distinguish the real new commits and the fake new commits?

the repository is pinned to a specific commit as you can see online:

so the normal git clone + submodule sync requires a sha1 collision.

if someone were to manually update the submodule to a newer version,
then you only have to MITM new fake commits, but presumably a commit
updating the pin would be detected fairly quickly as no one else is
going to have those commits injected.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]