From: Junio C Hamano <gitster@pobox.com>
To: Fraser Tweedale <frase@frase.id.au>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] documentation: add git transport security notice
Date: Mon, 24 Jun 2013 09:24:29 -0700 [thread overview]
Message-ID: <7vppvbbhoi.fsf@alter.siamese.dyndns.org> (raw)
In-Reply-To: <1372069414-12601-1-git-send-email-frase@frase.id.au> (Fraser Tweedale's message of "Mon, 24 Jun 2013 20:23:34 +1000")
Fraser Tweedale <frase@frase.id.au> writes:
> The fact that the git transport has no end-to-end security is easily
> overlooked. Add a brief security notice to the "GIT URLS" section
> of the documentation stating that the git transport should be used
> with caution on unsecured networks.
>
> Signed-off-by: Fraser Tweedale <frase@frase.id.au>
> ---
> Documentation/urls.txt | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/Documentation/urls.txt b/Documentation/urls.txt
> index 3ca122f..c218af5 100644
> --- a/Documentation/urls.txt
> +++ b/Documentation/urls.txt
> @@ -11,6 +11,9 @@ and ftps can be used for fetching and rsync can be used for fetching
> and pushing, but these are inefficient and deprecated; do not use
> them).
>
> +The git protocol provides no end-to-end security and should be used
> +with caution on unsecured networks.
Is this necessary?
I thought we already say the git protocol does not even authenticate
elsewhere in the document, and if not, I think it is a sensible
thing to say here. And once it is done, I doubt it is necessary to
bring up a narrower concept such as "end-to-end security" which
requires a lot more than authentication.
The only thing git protocol ensures is that the receiving end
validates that what is fetched from an unknown server, and what is
pushed by an unknown pusher, is internally consistent.
If you allowed a push over the git protocol by enabling the
receive-pack service in "git daemon" (not recommended), you may
allow anonymous users to delete branches and to do other funky
things unless you protect your repository with pre-receive hook, but
that won't corrupt the repository (of course, deleting all the refs
may make the repository an empty but not corrupt one, which is just
as unusable as a corrupt one, so there may not be a huge practical
difference). If you fetched from an unauthenticated server,
possibly with MITM, over the git protocol, you may end up getting
something you did not ask for, but the resulting history in your
repository would still be internally consistent (the commits may be
malicious ones, of course, but that is what signed tags are there to
protect you against).
next prev parent reply other threads:[~2013-06-24 16:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-24 10:23 [PATCH] documentation: add git transport security notice Fraser Tweedale
2013-06-24 16:24 ` Junio C Hamano [this message]
2013-06-24 21:57 ` Fraser Tweedale
2013-06-24 22:27 ` Fredrik Gustafsson
2013-06-24 22:35 ` Junio C Hamano
2013-06-24 22:47 ` Fredrik Gustafsson
2013-06-24 22:28 ` Junio C Hamano
-- strict thread matches above, loose matches on Subject: below --
2013-06-26 5:53 Fraser Tweedale
2013-07-05 8:41 Fraser Tweedale
2013-07-07 0:50 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vppvbbhoi.fsf@alter.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=frase@frase.id.au \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).