Re: [Qemu-devel] insecure git submodule URLs

[Stefan Hajnoczi]

On Mon, Oct 08, 2018 at 02:17:39PM -0500, Eric Blake wrote:
> On 7/15/18 7:56 PM, Jann Horn via Qemu-devel wrote:
> > On Sun, Jul 15, 2018 at 11:18 PM Peter Maydell <address@hidden> wrote:
> > > 
> > > On 15 July 2018 at 20:50, Jann Horn via Qemu-devel
> > > <address@hidden> wrote:
> > > > I noticed that when I build QEMU from git for the first time, it pulls
> > > > in submodules over the insecure git:// protocol - in other words, as
> > > > far as I can tell, if I'm e.g. on an open wifi network while building
> > > > QEMU for the first time, even if I cloned the main repository over
> > > > https, anyone could smuggle in malicious code as part of e.g. a
> > > > submodule's makefile.
> > > 
> > > Yes, this came up the other week.
> > > 
> > > > I'm not sure what your preferred fix for this is, so I'm not sending a
> > > > patch yet. As far as I can tell, the two options are:
> > > > 
> > > >   - change .gitmodules to use https for everything
> > > 
> > > We should probably do this...
> > > 
> 
> > > > As far as I can tell, the QEMU git server only supports the "dumb" git
> > > > protocol when accessed over HTTPS, not the "smart" protocol. I'm not
> > > > sure whether that might be why QEMU is currently still using the
> > > > insecure git protocol instead of git over HTTPS?
> > > 
> > > This is why we haven't switched over the submodules yet, yes.
> > > It's on Jeff's todo list for the server, though.
> 
> Did we ever get this done? (And updating this thread to pull in Jeff's new
> email). (Reminded of this now that there is yet another submodule being
> proposed for mirroring)

For the record, Jeff Cody set up smart HTTP for https://git.qemu.org/
and QEMU 3.1.0 will use https for submodules.

Stefan

signature.asc
Description: PGP signature