Do NOT use git:// to fetch upstream sources since it is vulnerable to man-in-the-middle attacks #1128
Description
A quick examination of the projects directory reveals:
$ grep -R 'git://' projects/ | wc -l
556
I can't stress how bad this is. I am assuming your scripts go through the sources.txt files and
use said methods to pull down source code that they then archive and store at your distribution server.
With git:// you have no way of checking the integrity of upstream sources against actors that are operating in the middle, unless the relevant projects use signed commits and you have the developer public keys and you verify, which I'm also assuming is not the case here.
Steps you can take to address the issue:
-
Use https://github.com/... scheme for everything and also make sure that the git client your
scripts use verifies certificates. It's not perfect but it rises the bar significantly compared to the
current scheme. -
Immediately wipe all the archives that you created with the old method, re-download
over HTTPS and rebuild.
Sample ~/.gitconfig:
[http]
sslVerify = true
sslCAInfo = /usr/local/share/curl/curl-ca-bundle.crt
Let me know if I'm mistaken in my assumptions.