[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: .gitmodules security
From: |
Mike Frysinger |
Subject: |
Re: .gitmodules security |
Date: |
Sun, 6 Feb 2022 19:49:36 -0500 |
On 07 Feb 2022 00:19, Vincent Lefevre wrote:
> On 2022-02-06 16:43:47 -0500, Mike Frysinger wrote:
> > it requires more than a MITM to be successful. you'd also have to
> > come up with a sha1 collision which is non-trivial for most people.
> > not out of the reach of nation states, but we prob aren't the target
> > market :p.
>
> I don't understand why you would need a sha1 collision, while you
> don't have a sha1 to compare with: say, the current local status is
> at a commit common to the real repository and to a fake repository,
> then the remote repositories diverge: with a "git fetch" only, how
> can you distinguish the real new commits and the fake new commits?
the repository is pinned to a specific commit as you can see online:
https://git.savannah.gnu.org/cgit/libtool.git/log/gnulib
so the normal git clone + submodule sync requires a sha1 collision.
if someone were to manually update the submodule to a newer version,
then you only have to MITM new fake commits, but presumably a commit
updating the pin would be detected fairly quickly as no one else is
going to have those commits injected.
-mike
signature.asc
Description: PGP signature
- .gitmodules security, Vincent Lefevre, 2022/02/06
- Re: .gitmodules security, Vincent Lefevre, 2022/02/06
- Re: .gitmodules security, Alex Ameen, 2022/02/06
- Re: .gitmodules security, Vincent Lefevre, 2022/02/06
- Re: .gitmodules security, Mike Frysinger, 2022/02/06
- Re: .gitmodules security, Vincent Lefevre, 2022/02/06
- Re: .gitmodules security,
Mike Frysinger <=
- Re: .gitmodules security, Vincent Lefevre, 2022/02/07
- Re: .gitmodules security, Mike Frysinger, 2022/02/07
- Re: .gitmodules security, Vincent Lefevre, 2022/02/07
- Re: .gitmodules security, Mike Frysinger, 2022/02/11
- Re: .gitmodules security, Vincent Lefevre, 2022/02/11
- Re: .gitmodules security, Alex Ameen, 2022/02/13