From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-81911-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 3C3311396D0
	for <garchives@archives.gentoo.org>; Sat, 19 Aug 2017 22:40:21 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6BC43E0EA8;
	Sat, 19 Aug 2017 22:40:11 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 22118E0EA2
	for <gentoo-dev@lists.gentoo.org>; Sat, 19 Aug 2017 22:40:11 +0000 (UTC)
Received: from pomiot (d202-252.icpnet.pl [109.173.202.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: mgorny)
	by smtp.gentoo.org (Postfix) with ESMTPSA id AADCD341739;
	Sat, 19 Aug 2017 22:40:03 +0000 (UTC)
Message-ID: <1503182399.6857.0.camel@gentoo.org>
Subject: Re: [gentoo-dev] Re: [PATCH 2/2] git-r3.eclass: Explicitly warn
 about unsecure protocols
From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Date: Sun, 20 Aug 2017 00:39:59 +0200
In-Reply-To: <pan$b194d$2869943c$b8890f8f$e5692b7f@cox.net>
References: <20170819082502.27716-1-mgorny@gentoo.org>
	 <20170819082502.27716-2-mgorny@gentoo.org>
	 <pan$b194d$2869943c$b8890f8f$e5692b7f@cox.net>
Organization: Gentoo
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.24.5 
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Archives-Salt: 028e48fd-e6ce-4e1b-a412-6f0c950b79f0
X-Archives-Hash: 434a77086b3cec377db26acb106b9eb1

W dniu sob, 19.08.2017 o godzinie 22∶01 +0000, użytkownik Duncan
napisał:
> Michał Górny posted on Sat, 19 Aug 2017 10:25:02 +0200 as excerpted:
> 
> > Explicitly warn about any URI that uses an unsecure protocol (git, http)
> > even if it's a fallback URI. This is necessary because an attacker may
> > block HTTPS connections, effectively forcing the fallback to
> > the unsecure protocol.
> 
> Thanks for this pair of patches.  One minor correction, below.
> 
> >  eclass/git-r3.eclass | 11 ++++++++++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> > 
> > diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> > index 42b586811368..1eb0baedc67f 100644
> > --- a/eclass/git-r3.eclass
> > +++ b/eclass/git-r3.eclass
> > @@ -570,6 +570,15 @@ git-r3_fetch() {
> >  
> >  	[[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset"
> >  
> > +	local r
> > +	for r in "${repos[@]}"; do
> > +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> > +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> 
> s/in unsafe/is unsafe/
> 

Thanks, fixed locally.

-- 
Best regards,
Michał Górny