On 08/19/2016 08:57 AM, Duncan Guthrie wrote: > Hi folks, > Reading the Git documentation, it appears that a git clone git:// address > does not transfer the data over a secure connection. It is not authenticated > as far as I can tell. > How can we clone the git repository, while being able to verify whether the > data received has not been modified, for example in a "man in the middle > attack"? > I find that Savannah doesn't provide an https:// address for some reason. > Thanks, > Hi Duncan,
According to https://savannah.gnu.org/maintenance/UsingGit/ savannah only offers readonly access via the git: protocol. As far as I know, if you want secure git access to savannah, you have to use ssh. Other than that, if you clone the repository in a manner vulnerable to MITM, you should still be able to verify its checksum against the one that's published. As far as I can tell from perusing http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global sum published for the whole tree. This might not matter, since after all we're using git, which uses hashes to identify the objects it tracks. The cgit link above shows some of these hashes. I'm not sure just now how exactly to convince git to emit enough of the correct information that you can compare the results with those shown on the savannah site, so I'm going to send this off as-is and look into it; if I figure it out I'll post in reply to this. Hopefully someone else out there already knows how to do this thing?
