On Fri, Jan 29, 2016 at 06:40:57PM -0500, Daniel Kahn Gillmor wrote:
> Package: git
> Tags: security
> 
> Currently by default, git does not verify the integrity of objects it
> requests by digest over the network.
> 
> This suggests that momentary control over a malicious repository or (for
> unencrypted transports) momentary control over the network is sufficient
> to produce a modified working copy with at worst a non-fatal warning.
> 
> I think these failures can be avoided by setting the following config
> options to "true" by default:
> 
>  transfer.fsckobjects
>  fetch.fsckobjects
>  receive.fsckobjects
> 
> Many users of git rely on commit IDs for integrity proof that they're
> working from the same point in the repository held by other developers
> (i've certainly told people that they can do this) without knowing that
> one pull from a malicious repo could tamper with the contents of a
> freshly-received object without noticing.
> 
> git should default to safe usage, and people with an argument for unsafe
> usage should change their own defaults manually.

Git is, in fact, safe by default. See
https://news.ycombinator.com/item?id=11032094

Mike

Reply via email to