Re: [Libreboot] Git clone authentication

[Leah Rowe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Op 20/08/16 om 01:41 schreef koanhead:
> On 08/19/2016 08:57 AM, Duncan Guthrie wrote:
>> Hi folks, Reading the Git documentation, it appears that a git
>> clone git:// address does not transfer the data over a secure
>> connection. It is not authenticated as far as I can tell. How can
>> we clone the git repository, while being able to verify whether
>> the data received has not been modified, for example in a "man in
>> the middle attack"? I find that Savannah doesn't provide an
>> https:// address for some reason. Thanks,
>> 
> Hi Duncan,
> 
> According to https://savannah.gnu.org/maintenance/UsingGit/
> savannah only offers readonly access via the git: protocol. As far
> as I know, if you want secure git access to savannah, you have to
> use ssh.
> 
> Other than that, if you clone the repository in a manner vulnerable
> to MITM, you should still be able to verify its checksum against
> the one that's published. As far as I can tell from perusing 
> http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global
> sum published for the whole tree. This might not matter, since
> after all we're using git, which uses hashes to identify the
> objects it tracks. The cgit link above shows some of these hashes.
> I'm not sure just now how exactly to convince git to emit enough of
> the correct information that you can compare the results with those
> shown on the savannah site, so I'm going to send this off as-is and
> look into it; if I figure it out I'll post in reply to this.
> Hopefully someone else out there already knows how to do this
> thing?
> 

sha1 was broken afaik, I don't remember the link but I was reading
about it. Whether it's practical in practise to mitm accesses to the
git repository I don't know. We do have other repos available listed
on thegit page on libreboot.org, some of which have https

- -- 
Leah Rowe

Libreboot developer

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free operating system, GNU/Linux.
https://www.gnu.org/

Use a free BIOS.
https://libreboot.org/

Support freedom. Join the Free Software Foundation.
https://fsf.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: http://minifree.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXuB7OAAoJEP9Ft0z50c+U/OMH/i2fbJPGN1M5ws58Ff8HuDkL
oaJ+pgKILITFyks0jSbn2bpcmHVBKQT/KsJVE3gbfOc1QDmsr4Q8UJIaESC6PvwL
byDaV/kKZZVM5lALqBKRa57em89dTd4tMZdLMZDCwHF3nFZeQo0BzjPDpYGcPRnP
93ynM0MsNBjVOg25srwgG1FiVh5ks+IJS9vEkK/DCA14+IKZwOAAiJxtqit4zidT
9I6H3ZY0ywMaArPV+bHxWZHZyzlGebZDHBZbd1L66sY+pwu73Ayk8aUoPGyuu8YG
4xgqY5eao7rI/Vy4iXXkH31qj2aPw5kLg0M5UxersCBvse5X8FZfvtL76HS+xDE=
=YIcX
-----END PGP SIGNATURE-----