[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] insecure git submodule URLs

From: Peter Maydell
Subject: Re: [Qemu-devel] insecure git submodule URLs
Date: Sun, 15 Jul 2018 22:18:23 +0100

On 15 July 2018 at 20:50, Jann Horn via Qemu-devel
<address@hidden> wrote:
> I noticed that when I build QEMU from git for the first time, it pulls
> in submodules over the insecure git:// protocol - in other words, as
> far as I can tell, if I'm e.g. on an open wifi network while building
> QEMU for the first time, even if I cloned the main repository over
> https, anyone could smuggle in malicious code as part of e.g. a
> submodule's makefile.

Yes, this came up the other week.

> I'm not sure what your preferred fix for this is, so I'm not sending a
> patch yet. As far as I can tell, the two options are:
>  - change .gitmodules to use https for everything

We should probably do this...

>  - change .gitmodules to use relative URLs
> If you want, I'll send a patch that does one of these, although it's
> probably faster if you just do it yourselves.
> Relative URLs would have the advantage that if someone is cloning from
> a mirror (in other words, github), the submodules will also
> automatically come from the same mirror.

Do we mirror all our submodules to github?

> As far as I can tell, the QEMU git server only supports the "dumb" git
> protocol when accessed over HTTPS, not the "smart" protocol. I'm not
> sure whether that might be why QEMU is currently still using the
> insecure git protocol instead of git over HTTPS?

This is why we haven't switched over the submodules yet, yes.
It's on Jeff's todo list for the server, though.

-- PMM

reply via email to

[Prev in Thread] Current Thread [Next in Thread]