From: Simon Tournier <zimon.toutoune@gmail.com>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 46182@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: [bug#46182] [PATCH] lint: Add 'check-git-protocol' checker.
Date: Fri, 20 Oct 2023 14:45:57 +0200 [thread overview]
Message-ID: <87v8b1mph6.fsf@gmail.com> (raw)
In-Reply-To: <87pm1am3rt.fsf@gmail.com>
Hi Maxim,
On Thu, 19 Oct 2023 at 22:22, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> Thinking about this change though; why is it bad to fetch from git
> places? There may be repos out there where it's the only offered way,
> and as long as we're talking fixed output derivations, it seems moot
> whether you use HTTPS, HTTP or X to retrieve the files (unless you are
> worried about your traffic being monitored, but that's not in scope, I'd
> say).
Why would not it be in scope?
Being able to strongly verify (sha256) that the content you fetch is the
data you expect does not imply that the protocol for communicating
cannot be exploited for other means.
Well, git:// protocol is not supported by well-known forges. Quoting
Pro Git book:
The Cons
Due to the lack of TLS or other cryptography, cloning over
git:// might lead to an arbitrary code execution vulnerability,
and should therefore be avoided unless you know what you are
doing.
https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols
And I do not have enough imagination to find a way to exploit the git://
protocol. However, it appears to me a good practise to warn when this
protocol is used. Somehow, a lint message is a recommendation – a good
practise – and not an absolute truth. :-)
In short, from my point of view, the general rule reads: avoid git://
protocol if you can. Obviously, if you cannot because it is the only
offered way by some repositories, then let make an exception; but it
does mean that’s a good practise.
Cheers,
simon
next prev parent reply other threads:[~2023-10-20 15:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-30 1:04 [bug#46182] [PATCH] lint: Add 'check-git-protocol' checker Leo Famulari
2021-03-11 0:14 ` zimoun
2021-03-11 1:46 ` Leo Famulari
2021-03-11 9:44 ` zimoun
2023-10-20 2:22 ` Maxim Cournoyer
2023-10-20 12:45 ` Simon Tournier [this message]
2023-10-20 15:37 ` Maxim Cournoyer
2021-03-11 22:29 ` Ludovic Courtès
2022-05-22 4:15 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v8b1mph6.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=46182@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).