On 07 Feb 2022 00:19, Vincent Lefevre wrote: > On 2022-02-06 16:43:47 -0500, Mike Frysinger wrote: > > it requires more than a MITM to be successful. you'd also have to > > come up with a sha1 collision which is non-trivial for most people. > > not out of the reach of nation states, but we prob aren't the target > > market :p. > > I don't understand why you would need a sha1 collision, while you > don't have a sha1 to compare with: say, the current local status is > at a commit common to the real repository and to a fake repository, > then the remote repositories diverge: with a "git fetch" only, how > can you distinguish the real new commits and the fake new commits?
the repository is pinned to a specific commit as you can see online: https://git.savannah.gnu.org/cgit/libtool.git/log/gnulib so the normal git clone + submodule sync requires a sha1 collision. if someone were to manually update the submodule to a newer version, then you only have to MITM new fake commits, but presumably a commit updating the pin would be detected fairly quickly as no one else is going to have those commits injected. -mike
signature.asc
Description: PGP signature