On 04/07/17 13:15, Eli Schwartz wrote: > As per > https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html > git doesn't check that the tag name matches what an annotated tag object > *thinks* it should be called. This is a bit of a theoretical attack and > some would argue that we should always use commits since upstream can > legitimately change a tag, but nevertheless this can result in a > downgrade attack if the git download transport was manipulated. > > So, check the tag blob to make sure the tag actually matches the name we > used for `git checkout` > > Signed-off-by: Eli Schwartz <eschwart...@gmail.com>
This should be fixed in git.