W dniu sob, 19.08.2017 o godzinie 22∶01 +0000, użytkownik Duncan napisał: > Michał Górny posted on Sat, 19 Aug 2017 10:25:02 +0200 as excerpted: > > > Explicitly warn about any URI that uses an unsecure protocol (git, http) > > even if it's a fallback URI. This is necessary because an attacker may > > block HTTPS connections, effectively forcing the fallback to > > the unsecure protocol. > > Thanks for this pair of patches. One minor correction, below. > > > eclass/git-r3.eclass | 11 ++++++++++- > > 1 file changed, 10 insertions(+), 1 deletion(-) > > > > diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass > > index 42b586811368..1eb0baedc67f 100644 > > --- a/eclass/git-r3.eclass > > +++ b/eclass/git-r3.eclass > > @@ -570,6 +570,15 @@ git-r3_fetch() { > > > > [[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset" > > > > + local r > > + for r in "${repos[@]}"; do > > + if [[ ${r} == git:* || ${r} == http:* ]]; then > > + ewarn "git-r3: ${r%%:*} protocol in unsafe and may be > > subject to MITM attacks" > > s/in unsafe/is unsafe/ >
Thanks, fixed locally. -- Best regards, Michał Górny