W dniu sob, 19.08.2017 o godzinie 22∶01 +0000, użytkownik Duncan
napisał:
> Michał Górny posted on Sat, 19 Aug 2017 10:25:02 +0200 as excerpted:
>
> > Explicitly warn about any URI that uses an unsecure protocol (git, http)
> > even if it's a fallback URI. This is necessary because an attacker may
> > block HTTPS connections, effectively forcing the fallback to
> > the unsecure protocol.
>
> Thanks for this pair of patches. One minor correction, below.
>
> > eclass/git-r3.eclass | 11 ++++++++++-
> > 1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> > index 42b586811368..1eb0baedc67f 100644
> > --- a/eclass/git-r3.eclass
> > +++ b/eclass/git-r3.eclass
> > @@ -570,6 +570,15 @@ git-r3_fetch() {
> >
> > [[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset"
> >
> > + local r
> > + for r in "${repos[@]}"; do
> > + if [[ ${r} == git:* || ${r} == http:* ]]; then
> > + ewarn "git-r3: ${r%%:*} protocol in unsafe and may be
> > subject to MITM attacks"
>
> s/in unsafe/is unsafe/
>
Thanks, fixed locally.
--
Best regards,
Michał Górny
