libtool
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .gitmodules security

From: Vincent Lefevre
Subject: Re: .gitmodules security
Date: Mon, 7 Feb 2022 09:32:01 +0100
User-agent: Mutt/2.1.5+134 (92686e5d) vl-138565 (2022-02-02) 
On 2022-02-06 19:49:36 -0500, Mike Frysinger wrote:
> the repository is pinned to a specific commit as you can see online:
> https://git.savannah.gnu.org/cgit/libtool.git/log/gnulib
> 
> so the normal git clone + submodule sync requires a sha1 collision.
> 
> if someone were to manually update the submodule to a newer version,
> then you only have to MITM new fake commits, but presumably a commit
> updating the pin would be detected fairly quickly as no one else is
> going to have those commits injected.

OK, but I was thinking in particular of the case of a manual update
without a commit updating the pin. The user may want to do that for
testing, e.g. in case of a problem with old gnulib code or to mimic
what is done on Debian (where the libtool uses the version from the
gnulib package, so that it is interesting to know the behavior with
the current gnulib).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]