libtool
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .gitmodules security

From: Alex Ameen
Subject: Re: .gitmodules security
Date: Sun, 6 Feb 2022 14:59:00 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
Hey, I can't claim to be an expert about this category of vulnerability; but I appreciate you raising this concern.
So is your recommendation to use https://git.savannah.gnu.org/git/gnulib.git instead of git://git.sv.gnu.org/gnulib.git? 

On 2/6/22 2:26 PM, Vincent Lefevre wrote:

On 2022-02-06 21:22:11 +0100, Vincent Lefevre wrote:

The .gitmodules file contains:

[submodule "gnulib"]
         path = gnulib
         url = git://git.sv.gnu.org/gnulib.git
[submodule "bootstrap"]
         path = gl-mod/bootstrap
         url = https://github.com/gnulib-modules/bootstrap.git

but AFAIK, there is no host authentication done with the "git:"
protocol, so that this is vulnerable to MitM attacks.

How about changing this to https?

Additional details: i.e. https://git.savannah.gnu.org/git/gnulib.git
according to what is described on

   https://www.gnu.org/software/gnulib/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]