On 2022-02-06 19:49:36 -0500, Mike Frysinger wrote: > the repository is pinned to a specific commit as you can see online: > https://git.savannah.gnu.org/cgit/libtool.git/log/gnulib > > so the normal git clone + submodule sync requires a sha1 collision. > > if someone were to manually update the submodule to a newer version, > then you only have to MITM new fake commits, but presumably a commit > updating the pin would be detected fairly quickly as no one else is > going to have those commits injected.
OK, but I was thinking in particular of the case of a manual update without a commit updating the pin. The user may want to do that for testing, e.g. in case of a problem with old gnulib code or to mimic what is done on Debian (where the libtool uses the version from the gnulib package, so that it is interesting to know the behavior with the current gnulib). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)