On 15 July 2018 at 20:50, Jann Horn via Qemu-devel <qemu-devel@nongnu.org> wrote: > I noticed that when I build QEMU from git for the first time, it pulls > in submodules over the insecure git:// protocol - in other words, as > far as I can tell, if I'm e.g. on an open wifi network while building > QEMU for the first time, even if I cloned the main repository over > https, anyone could smuggle in malicious code as part of e.g. a > submodule's makefile.
Yes, this came up the other week. > I'm not sure what your preferred fix for this is, so I'm not sending a > patch yet. As far as I can tell, the two options are: > > - change .gitmodules to use https for everything We should probably do this... > - change .gitmodules to use relative URLs > > If you want, I'll send a patch that does one of these, although it's > probably faster if you just do it yourselves. > > Relative URLs would have the advantage that if someone is cloning from > a mirror (in other words, github), the submodules will also > automatically come from the same mirror. Do we mirror all our submodules to github? > As far as I can tell, the QEMU git server only supports the "dumb" git > protocol when accessed over HTTPS, not the "smart" protocol. I'm not > sure whether that might be why QEMU is currently still using the > insecure git protocol instead of git over HTTPS? This is why we haven't switched over the submodules yet, yes. It's on Jeff's todo list for the server, though. thanks -- PMM
