On Tue, 2010-08-03 at 11:29 -0400, Martin Langhoff wrote: > On Tue, Aug 3, 2010 at 11:16 AM, Matt McCutchen <m...@mattmccutchen.net> > wrote: > > don't want malware landing on my machine because someone did a MITM > > attack on a Fedora maintainer's unencrypted "git fetch" and inserted > > some extra patches to get pushed back to the real repository later. > > The git protocol makes it extremely hard to inject malware > successfully. It would have to match sha1, _and_ match resulting > filesize _and_ be meaningful code, all without the benefits of > preimaging.
No. If the attacker MITMs the entire connection, they can lie about the values of the remote refs too, so there is no need to find a hash collision. -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
