[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Libreboot] Git clone authentication

From: Leah Rowe
Subject: Re: [Libreboot] Git clone authentication
Date: Sat, 20 Aug 2016 10:11:42 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.8.0

Hash: SHA1


Op 20/08/16 om 01:41 schreef koanhead:
> On 08/19/2016 08:57 AM, Duncan Guthrie wrote:
>> Hi folks, Reading the Git documentation, it appears that a git
>> clone git:// address does not transfer the data over a secure
>> connection. It is not authenticated as far as I can tell. How can
>> we clone the git repository, while being able to verify whether
>> the data received has not been modified, for example in a "man in
>> the middle attack"? I find that Savannah doesn't provide an
>> https:// address for some reason. Thanks,
> Hi Duncan,
> According to
> savannah only offers readonly access via the git: protocol. As far
> as I know, if you want secure git access to savannah, you have to
> use ssh.
> Other than that, if you clone the repository in a manner vulnerable
> to MITM, you should still be able to verify its checksum against
> the one that's published. As far as I can tell from perusing 
>, there's no global
> sum published for the whole tree. This might not matter, since
> after all we're using git, which uses hashes to identify the
> objects it tracks. The cgit link above shows some of these hashes.
> I'm not sure just now how exactly to convince git to emit enough of
> the correct information that you can compare the results with those
> shown on the savannah site, so I'm going to send this off as-is and
> look into it; if I figure it out I'll post in reply to this.
> Hopefully someone else out there already knows how to do this
> thing?

sha1 was broken afaik, I don't remember the link but I was reading
about it. Whether it's practical in practise to mitm accesses to the
git repository I don't know. We do have other repos available listed
on thegit page on, some of which have https

- -- 
Leah Rowe

Libreboot developer

Use free software. Free as in freedom.

Use a free operating system, GNU/Linux.

Use a free BIOS.

Support freedom. Join the Free Software Foundation.

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |

Version: GnuPG v2.0.22 (GNU/Linux)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]