On Mon, Feb 22, 2016 at 9:43 PM, Joe Anakata <[email protected]> wrote: > (Also it was mentioned this would only work for people making a fresh > clone; anyone with an existing clone would almost certainly know > something was up.)
No, definitely a MITM attack is feasible that would be fast forwardable just fine for a pull onto an existing repo. > Also there is the issue of the book reference, which is hard to > change. Though, for this, you could just have a dummy server which > redirects people, something which is essentially: > > nc -l -p 9418 -c "echo -n 002AERR please use https://foo.bar/foo.git"; Right, this is exactly what I wound up doing, except much higher performance using epoll: https://git.zx2c4.com/git-daemon-dummy/about/ I haven't decided whether or not to deploy it, but the code is there. > (Of course, someone could still MITM *that*. Right. But the idea, anyhow, would just be to let the readers of the book know what's up, rather than leaving them in the dark. _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
