[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] Git clone authentication
|
From: |
koanhead |
|
Subject: |
Re: [Libreboot] Git clone authentication |
|
Date: |
Fri, 19 Aug 2016 17:41:51 -0700 |
On 08/19/2016 08:57 AM, Duncan Guthrie wrote:
> Hi folks,
> Reading the Git documentation, it appears that a git clone git:// address
> does not transfer the data over a secure connection. It is not authenticated
> as far as I can tell.
> How can we clone the git repository, while being able to verify whether the
> data received has not been modified, for example in a "man in the middle
> attack"?
> I find that Savannah doesn't provide an https:// address for some reason.
> Thanks,
>
Hi Duncan,
According to https://savannah.gnu.org/maintenance/UsingGit/ savannah
only offers readonly access via the git: protocol. As far as I know, if
you want secure git access to savannah, you have to use ssh.
Other than that, if you clone the repository in a manner vulnerable to
MITM, you should still be able to verify its checksum against the one
that's published. As far as I can tell from perusing
http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global sum
published for the whole tree. This might not matter, since after all
we're using git, which uses hashes to identify the objects it tracks.
The cgit link above shows some of these hashes. I'm not sure just now
how exactly to convince git to emit enough of the correct information
that you can compare the results with those shown on the savannah site,
so I'm going to send this off as-is and look into it; if I figure it out
I'll post in reply to this. Hopefully someone else out there already
knows how to do this thing?