-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Op 20/08/16 om 01:41 schreef koanhead: > On 08/19/2016 08:57 AM, Duncan Guthrie wrote: >> Hi folks, Reading the Git documentation, it appears that a git >> clone git:// address does not transfer the data over a secure >> connection. It is not authenticated as far as I can tell. How can >> we clone the git repository, while being able to verify whether >> the data received has not been modified, for example in a "man in >> the middle attack"? I find that Savannah doesn't provide an >> https:// address for some reason. Thanks, >> > Hi Duncan, > > According to https://savannah.gnu.org/maintenance/UsingGit/ > savannah only offers readonly access via the git: protocol. As far > as I know, if you want secure git access to savannah, you have to > use ssh. > > Other than that, if you clone the repository in a manner vulnerable > to MITM, you should still be able to verify its checksum against > the one that's published. As far as I can tell from perusing > http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global > sum published for the whole tree. This might not matter, since > after all we're using git, which uses hashes to identify the > objects it tracks. The cgit link above shows some of these hashes. > I'm not sure just now how exactly to convince git to emit enough of > the correct information that you can compare the results with those > shown on the savannah site, so I'm going to send this off as-is and > look into it; if I figure it out I'll post in reply to this. > Hopefully someone else out there already knows how to do this > thing? > sha1 was broken afaik, I don't remember the link but I was reading about it. Whether it's practical in practise to mitm accesses to the git repository I don't know. We do have other repos available listed on thegit page on libreboot.org, some of which have https - -- Leah Rowe Libreboot developer Use free software. Free as in freedom. https://www.gnu.org/philosophy/free-sw.html Use a free operating system, GNU/Linux. https://www.gnu.org/ Use a free BIOS. https://libreboot.org/ Support freedom. Join the Free Software Foundation. https://fsf.org/ Minifree Ltd, trading as Ministry of Freedom | Registered in England, No. 9361826 | VAT No. GB202190462 Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK | Web: http://minifree.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXuB7OAAoJEP9Ft0z50c+U/OMH/i2fbJPGN1M5ws58Ff8HuDkL oaJ+pgKILITFyks0jSbn2bpcmHVBKQT/KsJVE3gbfOc1QDmsr4Q8UJIaESC6PvwL byDaV/kKZZVM5lALqBKRa57em89dTd4tMZdLMZDCwHF3nFZeQo0BzjPDpYGcPRnP 93ynM0MsNBjVOg25srwgG1FiVh5ks+IJS9vEkK/DCA14+IKZwOAAiJxtqit4zidT 9I6H3ZY0ywMaArPV+bHxWZHZyzlGebZDHBZbd1L66sY+pwu73Ayk8aUoPGyuu8YG 4xgqY5eao7rI/Vy4iXXkH31qj2aPw5kLg0M5UxersCBvse5X8FZfvtL76HS+xDE= =YIcX -----END PGP SIGNATURE-----
