Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols
Date: Sat, 19 Aug 2017 22:01:28
Message-Id: pan$b194d$2869943c$b8890f8f$e5692b7f@cox.net
In Reply to: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols by "Michał Górny"
1 Michał Górny posted on Sat, 19 Aug 2017 10:25:02 +0200 as excerpted:
2
3 > Explicitly warn about any URI that uses an unsecure protocol (git, http)
4 > even if it's a fallback URI. This is necessary because an attacker may
5 > block HTTPS connections, effectively forcing the fallback to
6 > the unsecure protocol.
7
8 Thanks for this pair of patches. One minor correction, below.
9
10 > eclass/git-r3.eclass | 11 ++++++++++-
11 > 1 file changed, 10 insertions(+), 1 deletion(-)
12 >
13 > diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
14 > index 42b586811368..1eb0baedc67f 100644
15 > --- a/eclass/git-r3.eclass
16 > +++ b/eclass/git-r3.eclass
17 > @@ -570,6 +570,15 @@ git-r3_fetch() {
18 >
19 > [[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset"
20 >
21 > + local r
22 > + for r in "${repos[@]}"; do
23 > + if [[ ${r} == git:* || ${r} == http:* ]]; then
24 > + ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
25
26 s/in unsafe/is unsafe/
27
28 (Tho I can imagine a point at which "unsafe" becomes a list/array, defined
29 at the top of the function along with the other defines, or in a new git-r3_check_unsafe
30 function, at which point "in unsafe" could make sense. But that's not the structure here.)
31
32 > + ewarn "(even if used only as fallback). Please use https instead."
33 > + ewarn "[URI: ${r}]"
34 > + fi
35 > + done
36 > +
37 > local -x GIT_DIR
38 > _git-r3_set_gitdir "${repos[0]}"
39 >
40 > @@ -582,7 +591,7 @@ git-r3_fetch() {
41 > fi
42 >
43 > # try to fetch from the remote
44 > - local r success saved_umask
45 > + local success saved_umask
46 > if [[ ${EVCS_UMASK} ]]; then
47 > saved_umask=$(umask)
48 > umask "${EVCS_UMASK}" || die "Bad options to umask: ${EVCS_UMASK}"
49
50 --
51 Duncan - List replies preferred. No HTML msgs.
52 "Every nonfree program has a lord, a master --
53 and if you use the program, he is your master." Richard Stallman

Replies

Subject Author
Re: [gentoo-dev] Re: [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols "Michał Górny" <mgorny@g.o>
Report Message
Find on MARC Find on Google Groups