Hey, I can't claim to be an expert about this category of vulnerability;
but I appreciate you raising this concern.
So is your recommendation to use
https://git.savannah.gnu.org/git/gnulib.git instead of
git://git.sv.gnu.org/gnulib.git?
On 2/6/22 2:26 PM, Vincent Lefevre wrote:
On 2022-02-06 21:22:11 +0100, Vincent Lefevre wrote:
The .gitmodules file contains:
[submodule "gnulib"]
path = gnulib
url = git://git.sv.gnu.org/gnulib.git
[submodule "bootstrap"]
path = gl-mod/bootstrap
url = https://github.com/gnulib-modules/bootstrap.git
but AFAIK, there is no host authentication done with the "git:"
protocol, so that this is vulnerable to MitM attacks.
How about changing this to https?
Additional details: i.e. https://git.savannah.gnu.org/git/gnulib.git
according to what is described on
https://www.gnu.org/software/gnulib/