Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

musl git sources are not verified #28

Open
ollieparanoid opened this issue Mar 12, 2017 · 2 comments
Open

musl git sources are not verified #28

ollieparanoid opened this issue Mar 12, 2017 · 2 comments

Comments

@ollieparanoid
Copy link

Hi there,

when downloading musl via git (which is the default), the sources get downloaded over a plain git connection without any encryption or verification.

Please switch to downloading tarballs only (where the hashes do get checked) and disable the insecure git retrieval until a HTTPS git mirror can be used.

Maybe someone can talk to the musl developers and ask for a HTTPS git mirror.

Thank you.
@richfelker
Copy link
Owner

While in light of sha1 being broken it's not strong against an adversary with heavy resources, use of a specific git revision (MUSL_VER = git-$sha1) is verified by "git fsck" which the top-level Makefile performs. It's only if you use (and thereby trust) a branch name or tag that it's unverified. Maybe this should be documented better.

@ollieparanoid
Copy link
Author

ollieparanoid commented Mar 23, 2017
edited
Loading

You are right, I did not notice the git fsck call and the implicit checkout of a specific branch - thank you for explaining.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ollieparanoid @richfelker