Page MenuHome GnuPG
Create Task
Maniphest T5280

gnupg.org webpage advertises the use of insecure git:// protocol at various places
Open, LowPublic
Actions

Description

Several places on the gnupg web page recommend git clone commands using the git:// protocol to checkout source code:

(also the libgcrypt page has the title tag "index", which is probably not ideal)

The git:// protocol is insecure by design and contains no cryptographic integrity. It can trivially be intercepted by a man in the middle attack. This should be switched to https:// checkouts. It would probably wise to just disable the legacy git protocol on the git servers altogether.

Event Timeline

hanno created this task.Jan 29 2021, 1:38 PM
hanno created this object in space S1 Public.
werner closed this task as Invalid.Jan 29 2021, 2:40 PM
werner added a subscriber: werner.

Stick to your channels and get back after you have learned basic some basic developer workflows.

ilf added a subscriber: ilf.Jan 30 2021, 5:42 PM
jstein added a subscriber: jstein.Jan 30 2021, 11:00 PM
benedikt_wi added a subscriber: benedikt_wi.Feb 1 2021, 9:44 AM
benedikt_wi added a comment.Feb 1 2021, 6:27 PM

@werner, I cannot follow you. What exactly do you mean?

Should a developer only rely on signatures made on commits and tags in the repository? In this case, it might be a good idea to mention that all commits are signed and give information on how to check whether those are valid and recent (to prevent some interceptor to simply replace the current repository by some old one with valid signatures, but with code still containing known bugs). There are many git-repositories out there which are not using signed commits, so it seems many developers are not aware of the fact that commits can/should be signed.

Furthermore, there are also too many (i.e. more than zero) networks today not providing complete Internet access, but web-only access. Users of those networks would also profit from having git over https access to the repository.

werner added a comment.Feb 1 2021, 6:37 PM

Git repos are development only and developers need to find a way to establish some trust in the source before building it. All kind of mischief can happen with arbitrary sources. https does not help at all. You need to find a way to establish trust - how you do that is up to you. For example looking at signed commits and try to figure out whether you can trust this key.

That's all nothing for a bug tracker but it was a personal note towards Hanno. Should have been made private but he started again flooding me with his kinds of reports which made me quite upset again - in particular after having read one of his unfounded rants on a German IT new portal. Publish bugs and be transparent and you get flak, hide things and you are highly valuable software.

aheinecke reopened this task as Open.Feb 1 2021, 6:41 PM
aheinecke assigned this task to cbiedl.
aheinecke added a subscriber: aheinecke.

Anyhow. Let us unrelate this from personal issues and just to be clean respect the content of the issue. Git links should not be promoted and cbiedl asked me today why we disagree because plain text protocols are really not state of the art. Cbiedl: You should be able to fix this it would be in the gnupg-doc branch afaik. If you have permission problems please let me know. I'll assign this to you.

werner triaged this task as Low priority.Feb 2 2021, 10:17 AM
werner added a project: gpgweb.