From: Christopher Allan Webber <cwebber@dustycloud.org>
To: Leo Famulari <leo@famulari.name>
Cc: 27795@debbugs.gnu.org
Subject: bug#27795: Issues with upstream source for guile-emacs
Date: Sat, 29 Jul 2017 11:20:19 -0500 [thread overview]
Message-ID: <87mv7nz03g.fsf@dustycloud.org> (raw)
In-Reply-To: <20170723160522.GB18230@jasmine.lan>
Leo Famulari writes:
> On Sun, Jul 23, 2017 at 04:22:06PM +0200, Ricardo Wurmus wrote:
>>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>> > Leo Famulari <leo@famulari.name> writes:
>> >
>> >> While working on the bug 'Changing package source URLs from git:// to
>> >> https://' [0], I noticed an issue with the sources for guile-emacs.
>> >>
>> >> We currently fetch this source code over the unauthenticated GIT
>> >> protocol. It is also available over HTTPS. However, these two protocols
>> >> are returning different Git repos for some reason.
>> >
>> > The clone times out for me:
>> >
>> > --8<---------------cut here---------------start------------->8---
>> > git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
>> > Cloning into 'guile-emacs-over-https'...
>> > ^C
>> > --8<---------------cut here---------------end--------------->8---
>> >
>> > But the clone from git:// works fine.
>> >
>> > Is the repository actually served over HTTPS?
>>
>> Don’t mind me. It eventually worked. The repositories have different
>> histories, and the https-repo looks like it is two commits behind.
>> Looks like an older rebase.
>>
>> I’d say we should leave it with the current git:// URL.
>
> The thing is, since the git:// protocol is unauthenticated, we could
> assume that those extra two commits are added by a MitM :/
>
> Somebody who is interested in guile-emacs should really ask upstream
> what is going on.
Since we hash the checkout's contents, an attacker would have to be very
consistently adding those two commits for both the original packager
(me) and all subsequent users... a possible attack, but I think it's not
the biggest thing to worry about.
next prev parent reply other threads:[~2017-07-29 16:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-22 23:19 bug#27795: Issues with upstream source for guile-emacs Leo Famulari
2017-07-23 12:32 ` Ricardo Wurmus
2017-07-23 14:22 ` Ricardo Wurmus
2017-07-23 16:05 ` Leo Famulari
2017-07-29 16:20 ` Christopher Allan Webber [this message]
2019-02-25 23:25 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mv7nz03g.fsf@dustycloud.org \
--to=cwebber@dustycloud.org \
--cc=27795@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.